[Carry 643] cp cmd #995
[Carry 643] cp cmd #995
Conversation
AkihiroSuda
force-pushed
the
carry-643-cp
branch
from
0432b47
to
4d32cee
Compare
AkihiroSuda
force-pushed
the
carry-643-cp
branch
from
4d32cee
to
e773d12
Compare
AkihiroSuda
force-pushed
the
carry-643-cp
branch
2 times, most recently
from
f0bd83d
to
e87ea8f
Compare
README.md
Outdated
| - `nerdctl cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|-` | ||
| - `nerdctl cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH` | ||
|
|
||
| :warning: This command is not designed to be used with untrusted containers. Unexpected behavior of `nerdctl cp` are not treated as a vulnerability. Users must be conscious of that. |
There was a problem hiding this comment.
cc @dmcgowan @samuelkarp for the security policy
There was a problem hiding this comment.
I've been hoping to find time to review this PR (and its predecessor) but have been unable to do so.
With that said, maybe we can reword the warning a bit?
⚠️ nerdctl cpis designed only for use with trusted, cooperating containers. Usingnerdctl cpwith untrusted or malicious containers is unsupported and may not provide protection against unexpected behavior.
AkihiroSuda
force-pushed
the
carry-643-cp
branch
3 times, most recently
from
e0933c6
to
d7de290
Compare
|
I'm planning to release v0.19 after merging this cc @fahedouch |
AkihiroSuda
force-pushed
the
carry-643-cp
branch
from
d7de290
to
2133630
Compare
|
CI is failing for containerd@main due to: |
cmd/nerdctl/cp_linux.go
Outdated
| SilenceErrors: true, | ||
| } | ||
|
|
||
| cpCommand.Flags().BoolP("follow-link", "L", false, "Always follow symbol link in SRC_PATH.") |
cmd/nerdctl/cp_linux.go
Outdated
| tarC := []string{tarBinary, "-c", "-f"} | ||
| if followSymlink { | ||
| tarC = append(tarC, "-h") | ||
| } | ||
| tarC = append(tarC, "-", tarCArg) |
There was a problem hiding this comment.
This creates tar -c -f -h - which is not the right syntax. This should be tar -h -c -f - or something.
# nerdctl --debug cp -L /tmp/hello-sym ubuntu-b1768:/hello-sym2-follow
nerdctl --debug cp -L /tmp/hello-sym ubuntu-b1768:/hello-sym2-follow
DEBU[0000] executing [/bin/tar -c -f -h - hello-sym] in "/tmp"
DEBU[0000] executing [/bin/tar -x -f -] in "/proc/245919/root/hello-sym2-follow"
/bin/tar: -: Cannot stat: No such file or directory
/bin/tar: Exiting with failure status due to previous errors
/bin/tar: This does not look like a tar archive
/bin/tar: Exiting with failure status due to previous errors
FATA[0000] failed to wait [/bin/tar -c -f -h - hello-sym]: exit status 2
AkihiroSuda
force-pushed
the
carry-643-cp
branch
from
2133630
to
b085949
Compare
| if destSpec.Path == "-" { | ||
| return fmt.Errorf("support for writing a tar archive to stdout is not implemented yet") | ||
| } | ||
|
|
There was a problem hiding this comment.
we need to throw error if if len(srcSpec.Path) == 0 || len(destSpec.Path) == 0
| if exe, err := exec.LookPath("tar"); err == nil { | ||
| return exe, isGNU(exe), nil | ||
| } | ||
| return "", false, fmt.Errorf("failed to find `tar` binary") |
There was a problem hiding this comment.
looks like you check multiple paths, can we also add a flag --tar-path to point to host tar ?
There was a problem hiding this comment.
Covered by an env var $TAR
There was a problem hiding this comment.
@AkihiroSuda We need to add this information to the help section so that it is visible to users
Based on Fahed Dorgaa's PR 643 but preserves the file owner information as in `docker cp`. This implementation also avoids mixing up the `archive/tar` pkg and `tar` command. `nerdctl cp -a` is not implemented, as the actual behavior of `docker cp -a` does not seem clearly defined. Tests are added to to cover the conditions listed in https://docs.docker.com/engine/reference/commandline/cp/ TODO (low priority): Support stdio tar balls such as `nerdctl cp - DST` and `nerdctl cp SRC -` Co-authored-by: fahed dorgaa <fahed.dorgaa@gmail.com> Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
AkihiroSuda
force-pushed
the
carry-643-cp
branch
from
b085949
to
85ca787
Compare
Based on Fahed Dorgaa's PR #643 but preserves the file owner information as in
docker cp.This implementation also avoids mixing up the
archive/tarpkg andtarcommand.nerdctl cp -ais not implemented, as the actual behavior ofdocker cp -adoes not seem clearly defined.Tests are added to to cover the conditions listed in https://docs.docker.com/engine/reference/commandline/cp/
TODO (low priority, probably in another PR): Support stdio tar balls such as
nerdctl cp - DSTandnerdctl cp SRC -Co-authored-by: fahed dorgaa @fahedouch
Signed-off-by: Akihiro Suda @AkihiroSuda
Closes #643
Closes #212