Windows: Dockerfile RUN in JSON format fails to escape parameters #22874

jstarks · 2016-05-21T02:12:40Z

Latest Docker master, targeting Windows:

Dockerfile:

FROM nanoserver

RUN ["cmd /c echo this should fail"]

Expected output:

Sending build context to Docker daemon 2.048 kB
Step 1 : FROM nanoserver
 ---> b347fce3157a
Step 2 : RUN cmd /c echo this should fail
 ---> Running in bca3f37416f3
Container command 'cmd /c echo this should fail' not found or does not exist

Actual output:

Sending build context to Docker daemon 2.048 kB
Step 1 : FROM nanoserver
 ---> b347fce3157a
Step 2 : RUN cmd /c echo this should fail
 ---> Running in bca3f37416f3
this should fail
 ---> 9cc6bd333e69
Removing intermediate container bca3f37416f3
Successfully built 9cc6bd333e69

I believe the fix is to set ArgsEscaped to false when parsing a JSON-formatted RUN command.

The same bug probably applies to CMD once #22868 is merged.

cc @jhowardmsft @darrenstahlmsft

The text was updated successfully, but these errors were encountered:

darstahl · 2016-05-23T23:10:47Z

Related issue, the arguments are not kept separate when there is a space.

Dockerfile:

FROM windowsservercore

RUN mkdir "foo bar"
RUN ["c:\windows\system32\robocopy.exe", "foo bar", "bar"]

Expected output:

Sending build context to Docker daemon 31.07 MB
Step 1 : FROM windowsservercore
 ---> 3d2cd411376d
Step 2 : RUN mkdir "foo bar"
 ---> Using cache
 ---> 154e4277acc0
Step 3 : RUN c:\windows\system32\robocopy.exe foo bar bar
 ---> Running in dc1014ce9fbe

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Monday, May 23, 2016 3:23:25 PM
   Source : C:\foo bar\
     Dest : C:\bar\

    File    *.*
  Options : *.* /DCOPY:DA /COPY:DAT /R:1000000 /W:30

------------------------------------------------------------------------------
          New Dir          0    C:\foo bar\

------------------------------------------------------------------------------
<snip>

 ---> 183e8e7cf760
Removing intermediate container dc1014ce9fbe
Successfully built 183e8e7cf760

Actual output:

Sending build context to Docker daemon 31.07 MB
Step 1 : FROM windowsservercore
 ---> 3d2cd411376d
Step 2 : RUN mkdir "foo bar"
 ---> Running in 4332282a2f9e
 ---> f825cc6a0071
Removing intermediate container 4332282a2f9e
Step 3 : RUN c:\windows\system32\robocopy.exe foo bar bar
 ---> Running in b6ae84021ac0

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Monday, May 23, 2016 3:25:24 PM
   Source : C:\foo\
     Dest : C:\bar\

    File    bar
  Options : /DCOPY:DA /COPY:DAT /R:1000000 /W:30

------------------------------------------------------------------------------

2016/05/23 15:25:24 ERROR 2 (0x00000002) Accessing Source Directory C:\foo\
The system cannot find the file specified.
The command 'c:\windows\system32\robocopy.exe foo bar bar' returned a non-zero code: 16

This also suggests that ArgsEscaped should be false when parsing a JSON-formatted RUN command. I was planning on setting it to false shortly after your escaping change, but I thought @jhowardmsft and I found a case that it didn't work when set to false.

sudo-bmitch · 2017-03-26T01:15:38Z

There's a report of a similar issue with the COPY command on stackoverflow.

From that question, this Dockerfile:

# escape=`
FROM microsoft/dotnet-framework:3.5
COPY ["TestFolder", "C:\Program Files (x86)\TestFolder"]

results in the error:

Step 2/2 : COPY ["TestFolder", "C:\Program Files (x86)\TestFolder"]
GetFileAttributesEx C:\Program: The system cannot find the file specified.

Signed-off-by: John Howard <jhoward@microsoft.com> This commit is a pre-requisite to moving moby/moby on Windows to using Containerd for its runtime. The reason for this is that the interface between moby and containerd for the runtime is an OCI spec which must be unambigious. It is the responsibility of the runtime (runhcs in the case of containerd on Windows) to ensure that arguments are escaped prior to calling into HCS and onwards to the Win32 CreateProcess call. Previously, the builder was always escaping arguments which has led to several bugs in moby. Because the local runtime in libcontainerd had context of whether or not arguments were escaped, it was possible to hack around in daemon/oci_windows.go with knowledge of the context of the call (from builder or not). With a remote runtime, this is not possible as there's rightly no context of the caller passed across in the OCI spec. Put another way, as I put above, the OCI spec must be unambigious. The other previous limitation (which leads to various subtle bugs) is that moby is coded entirely from a Linux-centric point of view. Unfortunately, Windows != Linux. Windows CreateProcess uses a command line, not an array of arguments. And it has very specific rules about how to escape a command line. Some interesting reading links about this are: https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ https://stackoverflow.com/questions/31838469/how-do-i-convert-argv-to-lpcommandline-parameter-of-createprocess https://docs.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments?view=vs-2017 For this reason, the OCI spec has recently been updated to cater for more natural syntax by including a CommandLine option in Process. What does this commit do? Primary objective is to ensure that the built OCI spec is unambigious. It changes the builder so that `ArgsEscaped` as commited in a layer is only controlled by the use of CMD or ENTRYPOINT. Subsequently, when calling in to create a container from the builder, if follows a different path to both `docker run` and `docker create` using the added `ContainerCreateIgnoreImagesArgsEscaped`. This allows a RUN from the builder to control how to escape in the OCI spec. It changes the builder so that when shell form is used for RUN, CMD or ENTRYPOINT, it builds (for WCOW) a more natural command line using the original as put by the user in the dockerfile, not the parsed version as a set of args which loses fidelity. This command line is put into args[0] and `ArgsEscaped` is set to true for CMD or ENTRYPOINT. A RUN statement does not commit `ArgsEscaped` to the commited layer regardless or whether shell or exec form were used. Also fixes moby#22874

Signed-off-by: John Howard <jhoward@microsoft.com> Also fixes moby#22874 This commit is a pre-requisite to moving moby/moby on Windows to using Containerd for its runtime. The reason for this is that the interface between moby and containerd for the runtime is an OCI spec which must be unambigious. It is the responsibility of the runtime (runhcs in the case of containerd on Windows) to ensure that arguments are escaped prior to calling into HCS and onwards to the Win32 CreateProcess call. Previously, the builder was always escaping arguments which has led to several bugs in moby. Because the local runtime in libcontainerd had context of whether or not arguments were escaped, it was possible to hack around in daemon/oci_windows.go with knowledge of the context of the call (from builder or not). With a remote runtime, this is not possible as there's rightly no context of the caller passed across in the OCI spec. Put another way, as I put above, the OCI spec must be unambigious. The other previous limitation (which leads to various subtle bugs) is that moby is coded entirely from a Linux-centric point of view. Unfortunately, Windows != Linux. Windows CreateProcess uses a command line, not an array of arguments. And it has very specific rules about how to escape a command line. Some interesting reading links about this are: https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ https://stackoverflow.com/questions/31838469/how-do-i-convert-argv-to-lpcommandline-parameter-of-createprocess https://docs.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments?view=vs-2017 For this reason, the OCI spec has recently been updated to cater for more natural syntax by including a CommandLine option in Process. What does this commit do? Primary objective is to ensure that the built OCI spec is unambigious. It changes the builder so that `ArgsEscaped` as commited in a layer is only controlled by the use of CMD or ENTRYPOINT. Subsequently, when calling in to create a container from the builder, if follows a different path to both `docker run` and `docker create` using the added `ContainerCreateIgnoreImagesArgsEscaped`. This allows a RUN from the builder to control how to escape in the OCI spec. It changes the builder so that when shell form is used for RUN, CMD or ENTRYPOINT, it builds (for WCOW) a more natural command line using the original as put by the user in the dockerfile, not the parsed version as a set of args which loses fidelity. This command line is put into args[0] and `ArgsEscaped` is set to true for CMD or ENTRYPOINT. A RUN statement does not commit `ArgsEscaped` to the commited layer regardless or whether shell or exec form were used.

Signed-off-by: John Howard <jhoward@microsoft.com> Also fixes moby/moby#22874 This commit is a pre-requisite to moving moby/moby on Windows to using Containerd for its runtime. The reason for this is that the interface between moby and containerd for the runtime is an OCI spec which must be unambigious. It is the responsibility of the runtime (runhcs in the case of containerd on Windows) to ensure that arguments are escaped prior to calling into HCS and onwards to the Win32 CreateProcess call. Previously, the builder was always escaping arguments which has led to several bugs in moby. Because the local runtime in libcontainerd had context of whether or not arguments were escaped, it was possible to hack around in daemon/oci_windows.go with knowledge of the context of the call (from builder or not). With a remote runtime, this is not possible as there's rightly no context of the caller passed across in the OCI spec. Put another way, as I put above, the OCI spec must be unambigious. The other previous limitation (which leads to various subtle bugs) is that moby is coded entirely from a Linux-centric point of view. Unfortunately, Windows != Linux. Windows CreateProcess uses a command line, not an array of arguments. And it has very specific rules about how to escape a command line. Some interesting reading links about this are: https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ https://stackoverflow.com/questions/31838469/how-do-i-convert-argv-to-lpcommandline-parameter-of-createprocess https://docs.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments?view=vs-2017 For this reason, the OCI spec has recently been updated to cater for more natural syntax by including a CommandLine option in Process. What does this commit do? Primary objective is to ensure that the built OCI spec is unambigious. It changes the builder so that `ArgsEscaped` as commited in a layer is only controlled by the use of CMD or ENTRYPOINT. Subsequently, when calling in to create a container from the builder, if follows a different path to both `docker run` and `docker create` using the added `ContainerCreateIgnoreImagesArgsEscaped`. This allows a RUN from the builder to control how to escape in the OCI spec. It changes the builder so that when shell form is used for RUN, CMD or ENTRYPOINT, it builds (for WCOW) a more natural command line using the original as put by the user in the dockerfile, not the parsed version as a set of args which loses fidelity. This command line is put into args[0] and `ArgsEscaped` is set to true for CMD or ENTRYPOINT. A RUN statement does not commit `ArgsEscaped` to the commited layer regardless or whether shell or exec form were used. Upstream-commit: 20833b06a0a41602001d595b3e1785248a352991 Component: engine

Signed-off-by: John Howard <jhoward@microsoft.com> Also fixes moby#22874 This commit is a pre-requisite to moving moby/moby on Windows to using Containerd for its runtime. The reason for this is that the interface between moby and containerd for the runtime is an OCI spec which must be unambigious. It is the responsibility of the runtime (runhcs in the case of containerd on Windows) to ensure that arguments are escaped prior to calling into HCS and onwards to the Win32 CreateProcess call. Previously, the builder was always escaping arguments which has led to several bugs in moby. Because the local runtime in libcontainerd had context of whether or not arguments were escaped, it was possible to hack around in daemon/oci_windows.go with knowledge of the context of the call (from builder or not). With a remote runtime, this is not possible as there's rightly no context of the caller passed across in the OCI spec. Put another way, as I put above, the OCI spec must be unambigious. The other previous limitation (which leads to various subtle bugs) is that moby is coded entirely from a Linux-centric point of view. Unfortunately, Windows != Linux. Windows CreateProcess uses a command line, not an array of arguments. And it has very specific rules about how to escape a command line. Some interesting reading links about this are: https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ https://stackoverflow.com/questions/31838469/how-do-i-convert-argv-to-lpcommandline-parameter-of-createprocess https://docs.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments?view=vs-2017 For this reason, the OCI spec has recently been updated to cater for more natural syntax by including a CommandLine option in Process. What does this commit do? Primary objective is to ensure that the built OCI spec is unambigious. It changes the builder so that `ArgsEscaped` as commited in a layer is only controlled by the use of CMD or ENTRYPOINT. Subsequently, when calling in to create a container from the builder, if follows a different path to both `docker run` and `docker create` using the added `ContainerCreateIgnoreImagesArgsEscaped`. This allows a RUN from the builder to control how to escape in the OCI spec. It changes the builder so that when shell form is used for RUN, CMD or ENTRYPOINT, it builds (for WCOW) a more natural command line using the original as put by the user in the dockerfile, not the parsed version as a set of args which loses fidelity. This command line is put into args[0] and `ArgsEscaped` is set to true for CMD or ENTRYPOINT. A RUN statement does not commit `ArgsEscaped` to the commited layer regardless or whether shell or exec form were used.

jstarks mentioned this issue May 21, 2016

Windows: CMD not honouring arg escaping #22868

Merged

thaJeztah added area/builder platform/windows kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. labels May 21, 2016

lowenna self-assigned this Jan 25, 2019

lowenna mentioned this issue Mar 4, 2019

Windows: Experimental: ContainerD runtime #38541

Merged

lowenna closed this as completed in #38541 Mar 20, 2019

tianon-sso mentioned this issue Mar 1, 2024

Fix Windows args and ArgsEscaped handling moby/buildkit#4723

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Windows: Dockerfile RUN in JSON format fails to escape parameters #22874

Windows: Dockerfile RUN in JSON format fails to escape parameters #22874

jstarks commented May 21, 2016

darstahl commented May 23, 2016

sudo-bmitch commented Mar 26, 2017

Windows: Dockerfile RUN in JSON format fails to escape parameters #22874

Windows: Dockerfile RUN in JSON format fails to escape parameters #22874

Comments

jstarks commented May 21, 2016

darstahl commented May 23, 2016

sudo-bmitch commented Mar 26, 2017