Merge pull request containers#5527 from rhatdan/build

Don't leak temp files on failures
TomSweeneyRedHat · May 17, 2024 · b77e435 · b77e435
2 parents f83d266 + 864a40c
commit b77e435
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/image.go b/image.go
@@ -952,7 +952,7 @@ func (i *containerImageSource) GetBlob(ctx context.Context, blob types.BlobInfo,
 // makeExtraImageContentDiff creates an archive file containing the contents of
 // files named in i.extraImageContent.  The footer that marks the end of the
 // archive may be omitted.
-func (i *containerImageRef) makeExtraImageContentDiff(includeFooter bool) (string, digest.Digest, int64, error) {
+func (i *containerImageRef) makeExtraImageContentDiff(includeFooter bool) (_ string, _ digest.Digest, _ int64, retErr error) {
 	cdir, err := i.store.ContainerDirectory(i.containerID)
 	if err != nil {
 		return "", "", -1, err
@@ -962,6 +962,11 @@ func (i *containerImageRef) makeExtraImageContentDiff(includeFooter bool) (strin
 		return "", "", -1, err
 	}
 	defer diff.Close()
+	defer func() {
+		if retErr != nil {
+			os.Remove(diff.Name())
+		}
+	}()
 	digester := digest.Canonical.Digester()
 	counter := ioutils.NewWriteCounter(digester.Hash())
 	tw := tar.NewWriter(io.MultiWriter(diff, counter))
@@ -1001,10 +1006,10 @@ func (i *containerImageRef) makeExtraImageContentDiff(includeFooter bool) (strin
 		}
 	}
 	if !includeFooter {
-		return diff.Name(), "", -1, err
+		return diff.Name(), "", -1, nil
 	}
 	tw.Close()
-	return diff.Name(), digester.Digest(), counter.Count, err
+	return diff.Name(), digester.Digest(), counter.Count, nil
 }
 
 // makeContainerImageRef creates a containers/image/v5/types.ImageReference

diff --git a/run_common.go b/run_common.go
@@ -1659,7 +1659,7 @@ func (b *Builder) getTmpfsMount(tokens []string, idMaps IDMaps) (*specs.Mount, e
 	return &volumes[0], nil
 }
 
-func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secret, idMaps IDMaps, workdir string) (*specs.Mount, string, error) {
+func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secret, idMaps IDMaps, workdir string) (_ *specs.Mount, _ string, retErr error) {
 	errInvalidSyntax := errors.New("secret should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint")
 	if len(tokens) == 0 {
 		return nil, "", errInvalidSyntax
@@ -1739,6 +1739,11 @@ func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secr
 		if err != nil {
 			return nil, "", err
 		}
+		defer func() {
+			if retErr != nil {
+				os.Remove(tmpFile.Name())
+			}
+		}()
 		envFile = tmpFile.Name()
 		ctrFileOnHost = tmpFile.Name()
 	case "file":