Error on empty dockerfile#38487
Merged
thaJeztah merged 3 commits intomoby:masterfrom Jan 15, 2019
LinuxMercedes:error-on-empty-dockerfile
Merged
Error on empty dockerfile#38487thaJeztah merged 3 commits intomoby:masterfrom LinuxMercedes:error-on-empty-dockerfile
thaJeztah merged 3 commits intomoby:masterfrom
LinuxMercedes:error-on-empty-dockerfile
Conversation
GordonTheTurtle
added
the
dco/no
|
Please sign your commits following these rules: $ git clone -b "error-on-empty-dockerfile" [email protected]:LinuxMercedes/moby.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354124160
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -fAmending updates the existing PR. You DO NOT need to open a new one. |
Member
|
Thanks! Looks like you forgot to sign-off the commits; you can use the instructions that @GordonTheTurtle (our bot) provided above to fix that |
GordonTheTurtle
removed
the
dco/no
thaJeztah
added
area/builder
Codecov Report
@@ Coverage Diff @@
## master #38487 +/- ##
==========================================
- Coverage 36.64% 36.6% -0.04%
==========================================
Files 608 608
Lines 45173 45270 +97
==========================================
+ Hits 16552 16572 +20
- Misses 26336 26412 +76
- Partials 2285 2286 +1 |
thaJeztah
requested changes
Jan 4, 2019
Member
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
Thanks for finding this issue! I left some comments below; I think this fix may actually have to be made in the upstream buildkit repo, where parse.Parse() is vendored from; https://github.com/moby/buildkit/blob/3f8ab160d5079539f9ed971fb069e4205108dd9d/frontend/dockerfile/parser/parser.go#L214-L283
Contributor
Author
|
Alright, I've opened a PR against buildkit: moby/buildkit#771 Couple questions:
|
Member
yes |
GordonTheTurtle
added
dco/no
Contributor
Author
|
Alright, I think this is all fixed and ready to go! |
AkihiroSuda
approved these changes
Jan 5, 2019
fntlnz
approved these changes
Jan 7, 2019
Contributor
fntlnz
left a comment
fntlnz
left a comment
There was a problem hiding this comment.
LGTM thanks @LinuxMercedes
Member
|
Thanks! I built this PR and gave it a try; 1. With Docker CLI 17.06 and no buildkit1.1 Comment-only Dockerfile:docker build -t foo -<<'EOF'
# only a comment
EOF1.2 Empty lines only:docker build -t foo -<<'EOF'
EOF1.3 Empty Dockerfile;docker build -t foo -<<'EOF'
EOFHowever, I see we need to make some changes so that the API returns a proper (4xx) error, because it currently doesn't return a typed error, thus a 500 error is returned (see details below); Details2. With a Docker 18.09 cli, and
|
thaJeztah
requested changes
Jan 7, 2019
Member
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
Based on the above;
We should return a ErrInvalidParameter error, so that a 4xx error is returned by the API
Lines 8 to 11 in d48392a
This patch would addres the cases I found while testing, but perhaps we need a follow-up to check for other errors;
diff --git a/builder/remotecontext/detect.go b/builder/remotecontext/detect.go
index 23db8a5aaa..073dee9a6b 100644
--- a/builder/remotecontext/detect.go
+++ b/builder/remotecontext/detect.go
@@ -12,6 +12,7 @@ import (
"github.com/docker/docker/api/types/backend"
"github.com/docker/docker/builder"
"github.com/docker/docker/builder/dockerignore"
+ "github.com/docker/docker/errdefs"
"github.com/docker/docker/pkg/fileutils"
"github.com/docker/docker/pkg/urlutil"
"github.com/moby/buildkit/frontend/dockerfile/parser"
@@ -147,14 +148,14 @@ func readAndParseDockerfile(name string, rc io.Reader) (*parser.Result, error) {
br := bufio.NewReader(rc)
if _, err := br.Peek(1); err != nil {
if err == io.EOF {
- return nil, errors.Errorf("the Dockerfile (%s) cannot be empty", name)
+ return nil, errdefs.InvalidParameter(errors.Errorf("the Dockerfile (%s) cannot be empty", name))
}
return nil, errors.Wrap(err, "unexpected error reading Dockerfile")
}
dockerfile, err := parser.Parse(br)
if err != nil {
- return nil, errors.Wrapf(err, "failed to parse %s", name)
+ return nil, errdefs.InvalidParameter(errors.Wrapf(err, "failed to parse %s", name))
}
return dockerfile, nilIn the BuildKit cases;
- (2.1 / 2.2)
failed to create LLB definition: file with no instructions.is a bit abstract; @tonistiigi - any suggestions for that one? - (2.3)
failed to create LLB definition: the Dockerfile cannot be empty- that looks better (clear that it's something to do with the Dockerfile) - (2.4)
exit code: 2- this should be improved; probably something to be fixed upstream? @tonistiigi?
Testing:
- Perhaps add a test for 1.2, 2.4
GordonTheTurtle
added
the
dco/no
Contributor
Author
|
I have (I think) wrapped the error from It seems that case 2.4 is indeed a buildkit problem and should be fixed there to raise the "file with no instructions" error as well. I can put together a patch for that in a bit if y'all agree. Also happy to workshop the wording of that error message since I agree that it's a little abstract for output from Once I do so I'll bump the vendor version here, add a test for case 2.4, and squash the commits up a bit! |
GordonTheTurtle
removed
the
dco/no
Contributor
Author
|
Probably the right fix is |
Member
|
Yes. I'm not really a Python coder, and wasn't sure if assert handled |
See moby/buildkit#771 Signed-off-by: Natasha Jarus <[email protected]>
- Wrap parse errors in errdefs.InvalidParameters - Include dockerfile in error names Signed-off-by: Natasha Jarus <[email protected]>
Signed-off-by: Natasha Jarus <[email protected]>
Contributor
Author
|
z and janky failures are flaky: #37306 Not sure what's going on with the experimental build but it looks unrelated: Details |
thaJeztah
pushed a commit
to thaJeztah/buildkit
that referenced
this pull request
Apr 19, 2019
See moby/moby#38487 for more discussion. Signed-off-by: Natasha Jarus <[email protected]> (cherry picked from commit 2ec7d53) Signed-off-by: Sebastiaan van Stijn <[email protected]>
This was referenced Apr 19, 2019
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this pull request
Jun 30, 2019
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this pull request
Jun 30, 2019
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
paralin
pushed a commit
to skiffos/buildroot
that referenced
this pull request
Jul 2, 2019
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
paralin
pushed a commit
to skiffos/buildroot
that referenced
this pull request
Jul 2, 2019
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this pull request
Jul 7, 2019
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]> (cherry picked from commit 13cf6f0) Signed-off-by: Peter Korsgaard <[email protected]>
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this pull request
Jul 7, 2019
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]> (cherry picked from commit cdbb3ce) Signed-off-by: Peter Korsgaard <[email protected]>
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this pull request
Jul 7, 2019
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]> (cherry picked from commit 13cf6f0) Signed-off-by: Peter Korsgaard <[email protected]>
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this pull request
Jul 7, 2019
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). And includes additional post-18.09.6 fixes: Builder - Fixed a panic error when building dockerfiles that contain only comments. moby/moby#38487 - Added a workaround for GCR authentication issue. moby/moby#38246 - Builder-next: Fixed a bug in the GCR token cache implementation workaround. moby/moby#39183 Runtime - Added performance optimizations in aufs and layer store that helps in massively parallel container creation and removal. moby/moby#39107, moby/moby#39135 - daemon: fixed a mirrors validation issue. moby/moby#38991 - Docker no longer supports sorting UID and GID ranges in ID maps. moby/moby#39288 Logging - Added a fix that now allows large log lines for logger plugins. moby/moby#39038 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]> (cherry picked from commit cdbb3ce) Signed-off-by: Peter Korsgaard <[email protected]>
crazy-max
pushed a commit
to crazy-max/dockerfile
that referenced
this pull request
Jan 8, 2022
See moby/moby#38487 for more discussion. Signed-off-by: Natasha Jarus <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
- What I did
Fixed a panic when running
docker buildon a dockerfile containing only a comment.(Docker used to error on this a few years back, but sometime in between now and then something changed.)
- How I did it
Detect whether the root AST node is created from a dockerfile with no AST constructs.
- How to verify it
- Description for the changelog
Fixed panic when building dockerfiles containing only comments.
- A picture of a cute animal (not mandatory but encouraged)
