Multi stage builds cleanup for Windows#32084
Conversation
|
cc @tonistiigi @jhowardmsft, c:\ and c:\windows are obvious blacklisted paths, but I suspect there can be other files we should not try to copy from on Windows. I suppose that with Hyper-v isolation there must be a swap file somewhere and IIRC, I think it is a system file at the root of file system. Do you know what it is called ? Have you other suggestions for system file blacklisting ? |
AkihiroSuda
added
the
status/failing-ci
|
@simonferquel I think should allow the same syntax that regular |
|
I just changed that. the restriction list for now is:
That makes it easier for the users, and for us to write common tests between windows and linux engines |
|
I don't understand what this test is about There are some obvious things though - it should be using Also why is this hard coding |
|
@jhowardmsft this tests are in the context of multi-stage builds #31257 (where you can build stuff from a build image, extract them and put them in a runtime image). The problem, is that if we allow these copy to get the whole image data from the build image, some files appear to be locked and that fails (and currently even seem to hang somewhere). So we want to establish a blacklist of stuff we don't allow to copy from a windows image (for now c:\ and c:\windows are forbidden, as well as relative paths that could resolve to those forbidden paths). The 2 first tests cover this blacklist, the 3rd one ensures that on Windows the I used nanoserver instead of MinimalBaseImage because for now MinimalBaseImage is based on Windows Server Core. |
simonferquel
force-pushed
the
multi-stage-builds-windows
branch
from
009c3e5 to
f0a5c5f
Compare
|
@simonferquel OK, I'm going to have to look at multi-stage build when I get a chance. Haven't looked at it at all. However, please switch to MinimalBaseImage and not hard-code a name. That's why it's there and is very deliberate. |
|
done |
simonferquel
force-pushed
the
multi-stage-builds-windows
branch
from
755c548 to
7141824
Compare
|
@jhowardmsft @johnstep Could one of you review as well? I'm not sure how we handle the |
thaJeztah
removed
the
status/failing-ci
There was a problem hiding this comment.
Does WORKDIR affect the "base" path?
There was a problem hiding this comment.
For now it is not. We should document COPY --from in this way
builder/dockerfile/internals.go
Outdated
There was a problem hiding this comment.
For comparing; would it be better to use filepath.Abs(origPath)?
There was a problem hiding this comment.
What does "Abs" exactly, does it depend on WORKDIR ?
builder/dockerfile/internals.go
Outdated
There was a problem hiding this comment.
This looks messy. Perhaps better to define a "blacklist" slice blacklist := []string{".", "..", ....}, and iterate?
There was a problem hiding this comment.
Maybe this instead of iterating:
switch p {
case ".", "..", "\\", "\\windows", "windows", "c:", "c:.", "c:\\", "c:\\windows", "c:\\windows\\":
return nil, errors.Errorf("copy from %q is not allowed on windows", p)
}There was a problem hiding this comment.
I like the blacklist idea, it would be much easier to modify
builder/dockerfile/internals.go
Outdated
There was a problem hiding this comment.
Do we want to blacklist exactly c:\windows\ or also, e.g. c:\windows\system32? If the latter, we should match on prefix (or another way to check if p is inside "forbiddenpath".
What about symlinks?
There was a problem hiding this comment.
We might want to have a more precise blacklist. I know that I dont want c:\windows to be completely copied (it might fail on some system files anyway), I also know that some files at FS root should not be copied as well, I am not sure about system32 though. We might want to allow to copy some dlls from there. The idea of this PR is to help the user avoid to do obvious WRONG things (like copying the 4GB of Windows Server Core) on Windows.
|
Also, could you squash your commits? |
simonferquel
force-pushed
the
multi-stage-builds-windows
branch
from
7141824 to
9524a60
Compare
|
@thaJeztah I squashed and I changed the path analysis to use a blacklist with only absolute paths, and a logic that reconstructs the absolute path assuming WORKDIR is c:\ (which is the case on COPY --from) |
simonferquel
force-pushed
the
multi-stage-builds-windows
branch
from
9524a60 to
f530ee8
Compare
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
Left some thoughts, but possibly someone else could have a look if they make sense 😅
builder/dockerfile/internals.go
Outdated
There was a problem hiding this comment.
perhaps
windowsBlacklist := []string{ "c:\\", "c:\\windows" }There was a problem hiding this comment.
I'll go with the map solution to avoid looping (might become annoying if we put many system paths in the blacklist)
builder/dockerfile/internals.go
Outdated
There was a problem hiding this comment.
Not on a Windows machine, but instead of manually making this path absolute, would this work?
p := strings.ToLower(filepath.Abs(origPath))
for _, forbidden := range windowsBlacklist {
if p == forbidden {
return nil, errors.New("copy from c:\\ or c:\\windows is not allowed on windows")
}To prevent the loop, perhaps;
windowsBlacklist := map[string]interface{}{
"c:\\" : true,
"c:\\windows" : true,
}
if _, ok := windowsBlacklist[p]; ok {
return nil, errors.New("copy from "+p+" is not allowed on windows")
}There was a problem hiding this comment.
Done
Problem of filepath.Abs is that it works relative to the current process workdir. This is not what we want (we know the path is relative to the context's "c:")
builder/dockerfile/internals.go
Outdated
There was a problem hiding this comment.
These checks are no longer needed?
There was a problem hiding this comment.
It is not anymore (the blacklist replaces it)
Paths resolving to c:\ or c:\windows are forbidden Replaced the obscure (and non-working) regex with a simple case insensitive comparison to the black listed paths (we should forbid c:\, c:\windows but not d:\) Also, add a test ensuring paths are case insensitive on windows Also, made sure existing multi-staged build tests pass on windows Signed-off-by: Simon Ferquel <[email protected]>
simonferquel
force-pushed
the
multi-stage-builds-windows
branch
from
f530ee8 to
b0e7588
Compare
vdemeester
added
rebuild/experimental
status/4-merge
and removed
status/2-code-review
labels
8 participants
This PR improves Windows experience about multi-staged builds.
It fixes #32057
- What I did
- How I did it
Most of the work is in the form of cli integration tests, forbidden paths rules are in builder/dockerfile/internals.go.
- How to verify it
Already verified by integration tests
- Description for the changelog
Should be part of the multi-staged build change log. Might be usefull to indicate that sources paths on Windows are case insensitive and must be "drive-qualified" (and cannot be c:\ nor c:\windows