Error on empty dockerfile#38487
Error on empty dockerfile#38487thaJeztah merged 3 commits intomoby:masterfrom LinuxMercedes:error-on-empty-dockerfile
Conversation
|
Please sign your commits following these rules: $ git clone -b "error-on-empty-dockerfile" [email protected]:LinuxMercedes/moby.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354124160
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -fAmending updates the existing PR. You DO NOT need to open a new one. |
|
Thanks! Looks like you forgot to sign-off the commits; you can use the instructions that @GordonTheTurtle (our bot) provided above to fix that |
Codecov Report
@@ Coverage Diff @@
## master #38487 +/- ##
==========================================
- Coverage 36.64% 36.6% -0.04%
==========================================
Files 608 608
Lines 45173 45270 +97
==========================================
+ Hits 16552 16572 +20
- Misses 26336 26412 +76
- Partials 2285 2286 +1 |
thaJeztah
left a comment
There was a problem hiding this comment.
Thanks for finding this issue! I left some comments below; I think this fix may actually have to be made in the upstream buildkit repo, where parse.Parse() is vendored from; https://github.com/moby/buildkit/blob/3f8ab160d5079539f9ed971fb069e4205108dd9d/frontend/dockerfile/parser/parser.go#L214-L283
|
Alright, I've opened a PR against buildkit: moby/buildkit#771 Couple questions:
|
yes |
|
Alright, I think this is all fixed and ready to go! |
fntlnz
left a comment
There was a problem hiding this comment.
LGTM thanks @LinuxMercedes
|
Thanks! I built this PR and gave it a try; 1. With Docker CLI 17.06 and no buildkit1.1 Comment-only Dockerfile:docker build -t foo -<<'EOF'
# only a comment
EOF1.2 Empty lines only:docker build -t foo -<<'EOF'
EOF1.3 Empty Dockerfile;docker build -t foo -<<'EOF'
EOFHowever, I see we need to make some changes so that the API returns a proper (4xx) error, because it currently doesn't return a typed error, thus a 500 error is returned (see details below); Details2. With a Docker 18.09 cli, and
|
thaJeztah
left a comment
There was a problem hiding this comment.
Based on the above;
We should return a ErrInvalidParameter error, so that a 4xx error is returned by the API
Lines 8 to 11 in d48392a
This patch would addres the cases I found while testing, but perhaps we need a follow-up to check for other errors;
diff --git a/builder/remotecontext/detect.go b/builder/remotecontext/detect.go
index 23db8a5aaa..073dee9a6b 100644
--- a/builder/remotecontext/detect.go
+++ b/builder/remotecontext/detect.go
@@ -12,6 +12,7 @@ import (
"github.com/docker/docker/api/types/backend"
"github.com/docker/docker/builder"
"github.com/docker/docker/builder/dockerignore"
+ "github.com/docker/docker/errdefs"
"github.com/docker/docker/pkg/fileutils"
"github.com/docker/docker/pkg/urlutil"
"github.com/moby/buildkit/frontend/dockerfile/parser"
@@ -147,14 +148,14 @@ func readAndParseDockerfile(name string, rc io.Reader) (*parser.Result, error) {
br := bufio.NewReader(rc)
if _, err := br.Peek(1); err != nil {
if err == io.EOF {
- return nil, errors.Errorf("the Dockerfile (%s) cannot be empty", name)
+ return nil, errdefs.InvalidParameter(errors.Errorf("the Dockerfile (%s) cannot be empty", name))
}
return nil, errors.Wrap(err, "unexpected error reading Dockerfile")
}
dockerfile, err := parser.Parse(br)
if err != nil {
- return nil, errors.Wrapf(err, "failed to parse %s", name)
+ return nil, errdefs.InvalidParameter(errors.Wrapf(err, "failed to parse %s", name))
}
return dockerfile, nilIn the BuildKit cases;
- (2.1 / 2.2)
failed to create LLB definition: file with no instructions.is a bit abstract; @tonistiigi - any suggestions for that one? - (2.3)
failed to create LLB definition: the Dockerfile cannot be empty- that looks better (clear that it's something to do with the Dockerfile) - (2.4)
exit code: 2- this should be improved; probably something to be fixed upstream? @tonistiigi?
Testing:
- Perhaps add a test for 1.2, 2.4
|
I have (I think) wrapped the error from It seems that case 2.4 is indeed a buildkit problem and should be fixed there to raise the "file with no instructions" error as well. I can put together a patch for that in a bit if y'all agree. Also happy to workshop the wording of that error message since I agree that it's a little abstract for output from Once I do so I'll bump the vendor version here, add a test for case 2.4, and squash the commits up a bit! |
|
Probably the right fix is |
|
Yes. I'm not really a Python coder, and wasn't sure if assert handled |
See moby/buildkit#771 Signed-off-by: Natasha Jarus <[email protected]>
- Wrap parse errors in errdefs.InvalidParameters - Include dockerfile in error names Signed-off-by: Natasha Jarus <[email protected]>
Signed-off-by: Natasha Jarus <[email protected]>
|
z and janky failures are flaky: #37306 Not sure what's going on with the experimental build but it looks unrelated: Details |
See moby/moby#38487 for more discussion. Signed-off-by: Natasha Jarus <[email protected]> (cherry picked from commit 2ec7d53) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]> (cherry picked from commit 13cf6f0) Signed-off-by: Peter Korsgaard <[email protected]>
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]> (cherry picked from commit cdbb3ce) Signed-off-by: Peter Korsgaard <[email protected]>
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]> (cherry picked from commit 13cf6f0) Signed-off-by: Peter Korsgaard <[email protected]>
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]> (cherry picked from commit cdbb3ce) Signed-off-by: Peter Korsgaard <[email protected]>
See moby/moby#38487 for more discussion. Signed-off-by: Natasha Jarus <[email protected]>

- What I did
Fixed a panic when running
docker buildon a dockerfile containing only a comment.(Docker used to error on this a few years back, but sometime in between now and then something changed.)
- How I did it
Detect whether the root AST node is created from a dockerfile with no AST constructs.
- How to verify it
- Description for the changelog
Fixed panic when building dockerfiles containing only comments.
- A picture of a cute animal (not mandatory but encouraged)
