[WIP] [Carry 643] cp cmd

Based on Fahed Dorgaa's PR 643 but preserves the file owner information as in `docker cp`.
This implementation also avoids mixing up the `archive/tar` pkg and `tar` command.

`nerdctl cp -a` is not implemented, as the actual behavior of `docker cp -a` does not seem clearly defined.

TODOs:
- Support stdio tar balls such as `nerdctl cp - DST` and `nerdctl cp SRC -`
- Add tests to cover the conditions listed in https://docs.docker.com/engine/reference/commandline/cp/

Co-authored-by: fahed dorgaa <fahed.dorgaa@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

README.md

@@ -249,10 +249,12 @@ It does not necessarily mean that the corresponding features are missing in cont
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 
+
   - [Container management](#container-management)
     - [:whale: :blue_square: nerdctl run](#whale-blue_square-nerdctl-run)
     - [:whale: :blue_square: nerdctl exec](#whale-blue_square-nerdctl-exec)
     - [:whale: :blue_square: nerdctl create](#whale-blue_square-nerdctl-create)
+    - [:whale: nerdctl cp](#whale-nerdctl-cp)
     - [:whale: :blue_square: nerdctl ps](#whale-blue_square-nerdctl-ps)
     - [:whale: :blue_square: nerdctl inspect](#whale-blue_square-nerdctl-inspect)
     - [:whale: nerdctl logs](#whale-nerdctl-logs)
@@ -301,7 +303,6 @@ It does not necessarily mean that the corresponding features are missing in cont
     - [:nerd_face: :blue_square: nerdctl namespace ls](#nerd_face-blue_square-nerdctl-namespace-ls)
     - [:nerd_face: :blue_square: nerdctl namespace remove](#nerd_face-blue_square-nerdctl-namespace-remove)
     - [:nerd_face: :blue_square: nerdctl namespace update](#nerd_face-blue_square-nerdctl-namespace-update)
-
   - [AppArmor profile management](#apparmor-profile-management)
     - [:nerd_face: nerdctl apparmor inspect](#nerd_face-nerdctl-apparmor-inspect)
     - [:nerd_face: nerdctl apparmor load](#nerd_face-nerdctl-apparmor-load)
@@ -620,6 +621,7 @@ Flags:
 
 Unimplemented `docker exec` flags: `--detach-keys`
 
+
 ### :whale: :blue_square: nerdctl create
 Create a new container.
 
@@ -629,6 +631,20 @@ Usage: `nerdctl create [OPTIONS] IMAGE [COMMAND] [ARG...]`
 
 The `nerdctl create` command similar to `nerdctl run -d` except the container is never started. You can then use the `nerdctl start <container_id>` command to start the container at any point.
 
+### :whale: nerdctl cp
+Copy files/folders between a running container and the local filesystem
+
+Usage:
+- `nerdctl cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|-`
+- `nerdctl cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH`
+
+Flags:
+- :whale: `-L, --follow-link` Always follow symbol link in SRC_PATH.
+  - :warning: This command is not designed to be used with untrusted containers. Unexpected behavior of `nerdctl cp`  are not treated as a vulnerability. Users must be conscious of that.
+
+
+Unimplemented `docker cp` flags: `--archive`
+
 ### :whale: :blue_square: nerdctl ps
 List containers.
 
@@ -1422,7 +1438,6 @@ See [`./docs/config.md`](./docs/config.md).
 ## Unimplemented Docker commands
 Container management:
 - `docker attach`
-- `docker cp`
 - `docker diff`
 - `docker rename`
 

cmd/nerdctl/cp.go

@@ -0,0 +1,278 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
+
+	"github.com/containerd/containerd"
+	"github.com/containerd/nerdctl/pkg/inspecttypes/native"
+	"github.com/containerd/nerdctl/pkg/rootlessutil"
+	securejoin "github.com/cyphar/filepath-securejoin"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+var errFileSpecDoesntMatchFormat = errors.New("filespec must match the canonical format: [container:]file/path")
+
+func newCpCommand() *cobra.Command {
+
+	shortHelp := "Copy files/folders between a running container and the local filesystem"
+
+	longHelp := shortHelp + `WARNING: This command is not designed to be used with untrusted containers.`
+
+	usage := `cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|-
+  nerdctl cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH`
+	var cpCommand = &cobra.Command{
+		Use:               usage,
+		Args:              cobra.ExactArgs(2),
+		Short:             shortHelp,
+		Long:              longHelp,
+		RunE:              cpAction,
+		ValidArgsFunction: cpShellComplete,
+		SilenceUsage:      true,
+		SilenceErrors:     true,
+	}
+
+	cpCommand.Flags().BoolP("follow-link", "L", false, "Always follow symbol link in SRC_PATH.")
+
+	return cpCommand
+}
+
+func cpAction(cmd *cobra.Command, args []string) error {
+	if runtime.GOOS == "windows" {
+		return fmt.Errorf("cp not yet supported for windows platform")
+	}
+
+	srcSpec, err := parseCpFileSpec(args[0])
+	if err != nil {
+		return err
+	}
+
+	destSpec, err := parseCpFileSpec(args[1])
+	if err != nil {
+		return err
+	}
+
+	flagL, err := cmd.Flags().GetBool("follow-link")
+	if err != nil {
+		return err
+	}
+
+	if srcSpec.Container != nil && destSpec.Container != nil {
+		return fmt.Errorf("one of src or dest must be a local file specification")
+	}
+	if srcSpec.Container == nil && destSpec.Container == nil {
+		return fmt.Errorf("one of src or dest must be a container file specification")
+	}
+	container2host := srcSpec.Container != nil
+	var container string
+	if container2host {
+		container = *srcSpec.Container
+	} else {
+		container = *destSpec.Container
+	}
+	ctx := cmd.Context()
+
+	// cp works in the host namespace (for inspecting file permissions), so we can't directly use the Go client.
+	selfExe, inspectArgs := globalFlags(cmd)
+	inspectArgs = append(inspectArgs, "container", "inspect", "--mode=native", "--format={{json .Process}}", container)
+	inspectCmd := exec.CommandContext(ctx, selfExe, inspectArgs...)
+	inspectCmd.Stderr = os.Stderr
+	inspectOut, err := inspectCmd.Output()
+	if err != nil {
+		return fmt.Errorf("failed to execute %v: %w", inspectCmd.Args, err)
+	}
+	var proc native.Process
+	if err := json.Unmarshal(inspectOut, &proc); err != nil {
+		return err
+	}
+	if proc.Status.Status != containerd.Running {
+		return fmt.Errorf("expected container status %v, got %v", containerd.Running, proc.Status.Status)
+	}
+	if proc.Pid <= 0 {
+		return fmt.Errorf("got non-positive PID %v", proc.Pid)
+	}
+	return kopy(ctx, container2host, proc.Pid, destSpec.Path, srcSpec.Path, flagL)
+}
+
+// kopy implements `nerdctl cp`.
+//
+// See https://docs.docker.com/engine/reference/commandline/cp/ for the specification.
+func kopy(ctx context.Context, container2host bool, pid int, dst, src string, followSymlink bool) error {
+	var (
+		srcFull, dstFull string
+		err              error
+	)
+	root := fmt.Sprintf("/proc/%d/root", pid)
+	if container2host {
+		srcFull, err = securejoin.SecureJoin(root, src)
+		dstFull = dst
+	} else {
+		srcFull = src
+		dstFull, err = securejoin.SecureJoin(root, dst)
+	}
+	if err != nil {
+		return err
+	}
+	var srcIsDir bool
+	if st, err := os.Stat(srcFull); err != nil {
+		return err
+	} else {
+		srcIsDir = st.IsDir()
+	}
+	dstEndsWithSep := strings.HasSuffix(dst, string(os.PathSeparator))
+
+	tarCDir := srcFull
+	if !srcIsDir {
+		td, err := os.MkdirTemp("", "nerdctl-cp")
+		if err != nil {
+			return err
+		}
+		defer os.RemoveAll(td)
+		cp := []string{"cp", "-a"}
+		if followSymlink {
+			cp = append(cp, "-L")
+		}
+		if dstEndsWithSep {
+			cp = append(cp, srcFull, filepath.Join(td, filepath.Base(srcFull)))
+		} else {
+			// Handle `nerdctl cp /path/to/file some-container:/path/to/file-with-another-name`
+			cp = append(cp, srcFull, filepath.Join(td, filepath.Base(dstFull)))
+		}
+		cpCmd := exec.CommandContext(ctx, cp[0], cp[1:]...)
+		logrus.Debugf("executing %v", cpCmd.Args)
+		if out, err := cpCmd.CombinedOutput(); err != nil {
+			return fmt.Errorf("failed to execute %v: %w (out=%q)", cpCmd.Args, err, string(out))
+		}
+		tarCDir = td
+	}
+	tarC := []string{"tar", "-c", "-f"}
+	if followSymlink {
+		tarC = append(tarC, "-h")
+	}
+	tarC = append(tarC, "-", ".")
+	tarXDir := dstFull
+	if !srcIsDir && !dstEndsWithSep {
+		tarXDir = filepath.Dir(dstFull)
+	}
+	tarX := []string{"tar", "-x", "-f", "-"}
+	if !srcIsDir {
+		if dstEndsWithSep {
+			tarX = append(tarX, "./"+filepath.Base(srcFull))
+		} else {
+			// Handle `nerdctl cp /path/to/file some-container:/path/to/file-with-another-name`
+			tarX = append(tarX, "./"+filepath.Base(dstFull))
+		}
+	}
+	if rootlessutil.IsRootless() {
+		nsenter := []string{"nsenter", "-t", strconv.Itoa(int(pid)), "-U", "--preserve-credentials", "--"}
+		if container2host {
+			tarC = append(nsenter, tarC...)
+		} else {
+			tarX = append(nsenter, tarX...)
+		}
+	}
+
+	if !srcIsDir && dstEndsWithSep {
+		if _, err := os.Stat(dstFull); err != nil {
+			// The error is specified in https://docs.docker.com/engine/reference/commandline/cp/
+			// See the `DEST_PATH does not exist and ends with /` case.
+			return fmt.Errorf("the destination directory must exists: %w", err)
+		}
+	}
+
+	tarCCmd := exec.CommandContext(ctx, tarC[0], tarC[1:]...)
+	tarCCmd.Dir = tarCDir
+	tarCCmd.Stdin = nil
+	tarCCmd.Stderr = os.Stderr
+
+	tarXCmd := exec.CommandContext(ctx, tarX[0], tarX[1:]...)
+	tarXCmd.Dir = tarXDir
+	tarXCmd.Stdin, err = tarCCmd.StdoutPipe()
+	if err != nil {
+		return err
+	}
+	tarXCmd.Stdout = os.Stderr
+	tarXCmd.Stderr = os.Stderr
+
+	logrus.Debugf("executing %v in %q", tarCCmd.Args, tarCCmd.Dir)
+	if err := tarCCmd.Start(); err != nil {
+		return fmt.Errorf("failed to execute %v: %w", tarCCmd.Args, err)
+	}
+	logrus.Debugf("executing %v in %q", tarXCmd.Args, tarXCmd.Dir)
+	if err := tarXCmd.Start(); err != nil {
+		return fmt.Errorf("failed to execute %v: %w", tarXCmd.Args, err)
+	}
+	if err := tarCCmd.Wait(); err != nil {
+		return fmt.Errorf("failed to wait %v: %w", tarCCmd.Args, err)
+	}
+	if err := tarXCmd.Wait(); err != nil {
+		return fmt.Errorf("failed to wait %v: %w", tarXCmd.Args, err)
+	}
+	return nil
+}
+
+func parseCpFileSpec(arg string) (*cpFileSpec, error) {
+	i := strings.Index(arg, ":")
+
+	// filespec starting with a semicolon is invalid
+	if i == 0 {
+		return nil, errFileSpecDoesntMatchFormat
+	}
+
+	if filepath.IsAbs(arg) {
+		// Explicit local absolute path, e.g., `C:\foo` or `/foo`.
+		return &cpFileSpec{
+			Container: nil,
+			Path:      arg,
+		}, nil
+	}
+
+	parts := strings.SplitN(arg, ":", 2)
+
+	if len(parts) == 1 || strings.HasPrefix(parts[0], ".") {
+		// Either there's no `:` in the arg
+		// OR it's an explicit local relative path like `./file:name.txt`.
+		return &cpFileSpec{
+			Path: arg,
+		}, nil
+	}
+
+	return &cpFileSpec{
+		Container: &parts[0],
+		Path:      parts[1],
+	}, nil
+}
+
+type cpFileSpec struct {
+	Container *string
+	Path      string
+}
+
+func cpShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	return nil, cobra.ShellCompDirectiveFilterFileExt
+}