-
Notifications
You must be signed in to change notification settings - Fork 564
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Carry 643] cp cmd #995
[Carry 643] cp cmd #995
Conversation
0432b47
to
4d32cee
Compare
4d32cee
to
e773d12
Compare
f0bd83d
to
e87ea8f
Compare
README.md
Outdated
- `nerdctl cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|-` | ||
- `nerdctl cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH` | ||
|
||
:warning: This command is not designed to be used with untrusted containers. Unexpected behavior of `nerdctl cp` are not treated as a vulnerability. Users must be conscious of that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @dmcgowan @samuelkarp for the security policy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've been hoping to find time to review this PR (and its predecessor) but have been unable to do so.
With that said, maybe we can reword the warning a bit?
⚠️ nerdctl cp
is designed only for use with trusted, cooperating containers. Usingnerdctl cp
with untrusted or malicious containers is unsupported and may not provide protection against unexpected behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, reworded
e0933c6
to
d7de290
Compare
I'm planning to release v0.19 after merging this cc @fahedouch |
d7de290
to
2133630
Compare
CI is failing for containerd@main due to: |
cmd/nerdctl/cp_linux.go
Outdated
SilenceErrors: true, | ||
} | ||
|
||
cpCommand.Flags().BoolP("follow-link", "L", false, "Always follow symbol link in SRC_PATH.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/symbol link/symbolic link
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
cmd/nerdctl/cp_linux.go
Outdated
tarC := []string{tarBinary, "-c", "-f"} | ||
if followSymlink { | ||
tarC = append(tarC, "-h") | ||
} | ||
tarC = append(tarC, "-", tarCArg) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This creates tar -c -f -h -
which is not the right syntax. This should be tar -h -c -f -
or something.
# nerdctl --debug cp -L /tmp/hello-sym ubuntu-b1768:/hello-sym2-follow
nerdctl --debug cp -L /tmp/hello-sym ubuntu-b1768:/hello-sym2-follow
DEBU[0000] executing [/bin/tar -c -f -h - hello-sym] in "/tmp"
DEBU[0000] executing [/bin/tar -x -f -] in "/proc/245919/root/hello-sym2-follow"
/bin/tar: -: Cannot stat: No such file or directory
/bin/tar: Exiting with failure status due to previous errors
/bin/tar: This does not look like a tar archive
/bin/tar: Exiting with failure status due to previous errors
FATA[0000] failed to wait [/bin/tar -c -f -h - hello-sym]: exit status 2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
2133630
to
b085949
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM on green
if destSpec.Path == "-" { | ||
return fmt.Errorf("support for writing a tar archive to stdout is not implemented yet") | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we need to throw error if if len(srcSpec.Path) == 0 || len(destSpec.Path) == 0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
if exe, err := exec.LookPath("tar"); err == nil { | ||
return exe, isGNU(exe), nil | ||
} | ||
return "", false, fmt.Errorf("failed to find `tar` binary") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like you check multiple paths, can we also add a flag --tar-path
to point to host tar ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Covered by an env var $TAR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AkihiroSuda We need to add this information to the help section so that it is visible to users
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
Based on Fahed Dorgaa's PR 643 but preserves the file owner information as in `docker cp`. This implementation also avoids mixing up the `archive/tar` pkg and `tar` command. `nerdctl cp -a` is not implemented, as the actual behavior of `docker cp -a` does not seem clearly defined. Tests are added to to cover the conditions listed in https://docs.docker.com/engine/reference/commandline/cp/ TODO (low priority): Support stdio tar balls such as `nerdctl cp - DST` and `nerdctl cp SRC -` Co-authored-by: fahed dorgaa <fahed.dorgaa@gmail.com> Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
b085949
to
85ca787
Compare
Based on Fahed Dorgaa's PR #643 but preserves the file owner information as in
docker cp
.This implementation also avoids mixing up the
archive/tar
pkg andtar
command.nerdctl cp -a
is not implemented, as the actual behavior ofdocker cp -a
does not seem clearly defined.Tests are added to to cover the conditions listed in https://docs.docker.com/engine/reference/commandline/cp/
TODO (low priority, probably in another PR): Support stdio tar balls such as
nerdctl cp - DST
andnerdctl cp SRC -
Co-authored-by: fahed dorgaa @fahedouch
Signed-off-by: Akihiro Suda @AkihiroSuda
Closes #643
Closes #212