-
Notifications
You must be signed in to change notification settings - Fork 565
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Based on Fahed Dorgaa's PR 643 but preserves the file owner information as in `docker cp`. This implementation also avoids mixing up the `archive/tar` pkg and `tar` command. `nerdctl cp -a` is not implemented, as the actual behavior of `docker cp -a` does not seem clearly defined. TODOs: - Support stdio tar balls such as `nerdctl cp - DST` and `nerdctl cp SRC -` - Add tests to cover the conditions listed in https://docs.docker.com/engine/reference/commandline/cp/ Co-authored-by: fahed dorgaa <fahed.dorgaa@gmail.com> Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
- Loading branch information
1 parent
e70e2cd
commit 4d32cee
Showing
5 changed files
with
406 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,278 @@ | ||
/* | ||
Copyright The containerd Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package main | ||
|
||
import ( | ||
"context" | ||
"encoding/json" | ||
"errors" | ||
"fmt" | ||
"os" | ||
"os/exec" | ||
"path/filepath" | ||
"runtime" | ||
"strconv" | ||
"strings" | ||
|
||
"github.com/containerd/containerd" | ||
"github.com/containerd/nerdctl/pkg/inspecttypes/native" | ||
"github.com/containerd/nerdctl/pkg/rootlessutil" | ||
securejoin "github.com/cyphar/filepath-securejoin" | ||
"github.com/sirupsen/logrus" | ||
"github.com/spf13/cobra" | ||
) | ||
|
||
var errFileSpecDoesntMatchFormat = errors.New("filespec must match the canonical format: [container:]file/path") | ||
|
||
func newCpCommand() *cobra.Command { | ||
|
||
shortHelp := "Copy files/folders between a running container and the local filesystem" | ||
|
||
longHelp := shortHelp + `WARNING: This command is not designed to be used with untrusted containers.` | ||
|
||
usage := `cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|- | ||
nerdctl cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH` | ||
var cpCommand = &cobra.Command{ | ||
Use: usage, | ||
Args: cobra.ExactArgs(2), | ||
Short: shortHelp, | ||
Long: longHelp, | ||
RunE: cpAction, | ||
ValidArgsFunction: cpShellComplete, | ||
SilenceUsage: true, | ||
SilenceErrors: true, | ||
} | ||
|
||
cpCommand.Flags().BoolP("follow-link", "L", false, "Always follow symbol link in SRC_PATH.") | ||
|
||
return cpCommand | ||
} | ||
|
||
func cpAction(cmd *cobra.Command, args []string) error { | ||
if runtime.GOOS == "windows" { | ||
return fmt.Errorf("cp not yet supported for windows platform") | ||
} | ||
|
||
srcSpec, err := parseCpFileSpec(args[0]) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
destSpec, err := parseCpFileSpec(args[1]) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
flagL, err := cmd.Flags().GetBool("follow-link") | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if srcSpec.Container != nil && destSpec.Container != nil { | ||
return fmt.Errorf("one of src or dest must be a local file specification") | ||
} | ||
if srcSpec.Container == nil && destSpec.Container == nil { | ||
return fmt.Errorf("one of src or dest must be a container file specification") | ||
} | ||
container2host := srcSpec.Container != nil | ||
var container string | ||
if container2host { | ||
container = *srcSpec.Container | ||
} else { | ||
container = *destSpec.Container | ||
} | ||
ctx := cmd.Context() | ||
|
||
// cp works in the host namespace (for inspecting file permissions), so we can't directly use the Go client. | ||
selfExe, inspectArgs := globalFlags(cmd) | ||
inspectArgs = append(inspectArgs, "container", "inspect", "--mode=native", "--format={{json .Process}}", container) | ||
inspectCmd := exec.CommandContext(ctx, selfExe, inspectArgs...) | ||
inspectCmd.Stderr = os.Stderr | ||
inspectOut, err := inspectCmd.Output() | ||
if err != nil { | ||
return fmt.Errorf("failed to execute %v: %w", inspectCmd.Args, err) | ||
} | ||
var proc native.Process | ||
if err := json.Unmarshal(inspectOut, &proc); err != nil { | ||
return err | ||
} | ||
if proc.Status.Status != containerd.Running { | ||
return fmt.Errorf("expected container status %v, got %v", containerd.Running, proc.Status.Status) | ||
} | ||
if proc.Pid <= 0 { | ||
return fmt.Errorf("got non-positive PID %v", proc.Pid) | ||
} | ||
return kopy(ctx, container2host, proc.Pid, destSpec.Path, srcSpec.Path, flagL) | ||
} | ||
|
||
// kopy implements `nerdctl cp`. | ||
// | ||
// See https://docs.docker.com/engine/reference/commandline/cp/ for the specification. | ||
func kopy(ctx context.Context, container2host bool, pid int, dst, src string, followSymlink bool) error { | ||
var ( | ||
srcFull, dstFull string | ||
err error | ||
) | ||
root := fmt.Sprintf("/proc/%d/root", pid) | ||
if container2host { | ||
srcFull, err = securejoin.SecureJoin(root, src) | ||
dstFull = dst | ||
} else { | ||
srcFull = src | ||
dstFull, err = securejoin.SecureJoin(root, dst) | ||
} | ||
if err != nil { | ||
return err | ||
} | ||
var srcIsDir bool | ||
if st, err := os.Stat(srcFull); err != nil { | ||
return err | ||
} else { | ||
srcIsDir = st.IsDir() | ||
} | ||
dstEndsWithSep := strings.HasSuffix(dst, string(os.PathSeparator)) | ||
|
||
tarCDir := srcFull | ||
if !srcIsDir { | ||
td, err := os.MkdirTemp("", "nerdctl-cp") | ||
if err != nil { | ||
return err | ||
} | ||
defer os.RemoveAll(td) | ||
cp := []string{"cp", "-a"} | ||
if followSymlink { | ||
cp = append(cp, "-L") | ||
} | ||
if dstEndsWithSep { | ||
cp = append(cp, srcFull, filepath.Join(td, filepath.Base(srcFull))) | ||
} else { | ||
// Handle `nerdctl cp /path/to/file some-container:/path/to/file-with-another-name` | ||
cp = append(cp, srcFull, filepath.Join(td, filepath.Base(dstFull))) | ||
} | ||
cpCmd := exec.CommandContext(ctx, cp[0], cp[1:]...) | ||
logrus.Debugf("executing %v", cpCmd.Args) | ||
if out, err := cpCmd.CombinedOutput(); err != nil { | ||
return fmt.Errorf("failed to execute %v: %w (out=%q)", cpCmd.Args, err, string(out)) | ||
} | ||
tarCDir = td | ||
} | ||
tarC := []string{"tar", "-c", "-f"} | ||
if followSymlink { | ||
tarC = append(tarC, "-h") | ||
} | ||
tarC = append(tarC, "-", ".") | ||
tarXDir := dstFull | ||
if !srcIsDir && !dstEndsWithSep { | ||
tarXDir = filepath.Dir(dstFull) | ||
} | ||
tarX := []string{"tar", "-x", "-f", "-"} | ||
if !srcIsDir { | ||
if dstEndsWithSep { | ||
tarX = append(tarX, "./"+filepath.Base(srcFull)) | ||
} else { | ||
// Handle `nerdctl cp /path/to/file some-container:/path/to/file-with-another-name` | ||
tarX = append(tarX, "./"+filepath.Base(dstFull)) | ||
} | ||
} | ||
if rootlessutil.IsRootless() { | ||
nsenter := []string{"nsenter", "-t", strconv.Itoa(int(pid)), "-U", "--preserve-credentials", "--"} | ||
if container2host { | ||
tarC = append(nsenter, tarC...) | ||
} else { | ||
tarX = append(nsenter, tarX...) | ||
} | ||
} | ||
|
||
if !srcIsDir && dstEndsWithSep { | ||
if _, err := os.Stat(dstFull); err != nil { | ||
// The error is specified in https://docs.docker.com/engine/reference/commandline/cp/ | ||
// See the `DEST_PATH does not exist and ends with /` case. | ||
return fmt.Errorf("the destination directory must exists: %w", err) | ||
} | ||
} | ||
|
||
tarCCmd := exec.CommandContext(ctx, tarC[0], tarC[1:]...) | ||
tarCCmd.Dir = tarCDir | ||
tarCCmd.Stdin = nil | ||
tarCCmd.Stderr = os.Stderr | ||
|
||
tarXCmd := exec.CommandContext(ctx, tarX[0], tarX[1:]...) | ||
tarXCmd.Dir = tarXDir | ||
tarXCmd.Stdin, err = tarCCmd.StdoutPipe() | ||
if err != nil { | ||
return err | ||
} | ||
tarXCmd.Stdout = os.Stderr | ||
tarXCmd.Stderr = os.Stderr | ||
|
||
logrus.Debugf("executing %v in %q", tarCCmd.Args, tarCCmd.Dir) | ||
if err := tarCCmd.Start(); err != nil { | ||
return fmt.Errorf("failed to execute %v: %w", tarCCmd.Args, err) | ||
} | ||
logrus.Debugf("executing %v in %q", tarXCmd.Args, tarXCmd.Dir) | ||
if err := tarXCmd.Start(); err != nil { | ||
return fmt.Errorf("failed to execute %v: %w", tarXCmd.Args, err) | ||
} | ||
if err := tarCCmd.Wait(); err != nil { | ||
return fmt.Errorf("failed to wait %v: %w", tarCCmd.Args, err) | ||
} | ||
if err := tarXCmd.Wait(); err != nil { | ||
return fmt.Errorf("failed to wait %v: %w", tarXCmd.Args, err) | ||
} | ||
return nil | ||
} | ||
|
||
func parseCpFileSpec(arg string) (*cpFileSpec, error) { | ||
i := strings.Index(arg, ":") | ||
|
||
// filespec starting with a semicolon is invalid | ||
if i == 0 { | ||
return nil, errFileSpecDoesntMatchFormat | ||
} | ||
|
||
if filepath.IsAbs(arg) { | ||
// Explicit local absolute path, e.g., `C:\foo` or `/foo`. | ||
return &cpFileSpec{ | ||
Container: nil, | ||
Path: arg, | ||
}, nil | ||
} | ||
|
||
parts := strings.SplitN(arg, ":", 2) | ||
|
||
if len(parts) == 1 || strings.HasPrefix(parts[0], ".") { | ||
// Either there's no `:` in the arg | ||
// OR it's an explicit local relative path like `./file:name.txt`. | ||
return &cpFileSpec{ | ||
Path: arg, | ||
}, nil | ||
} | ||
|
||
return &cpFileSpec{ | ||
Container: &parts[0], | ||
Path: parts[1], | ||
}, nil | ||
} | ||
|
||
type cpFileSpec struct { | ||
Container *string | ||
Path string | ||
} | ||
|
||
func cpShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { | ||
return nil, cobra.ShellCompDirectiveFilterFileExt | ||
} |
Oops, something went wrong.