Add ArgsEscaped field to image config #892
Conversation
jterry75
requested review from
brendandburns,
cyphar,
jonboulle,
jonjohnsonjr,
jstarks,
stevvooe and
vbatts
as code owners
|
Ref: (containerd/containerd#6479) |
|
My thoughts most closely align with kevpar's comment:
I'd like to see us document what this is when people see it in an image, without actually recommending that anyone do this. Perhaps change the phrasing to indicate it's here only for historical context. |
|
@katiewasnothere - I think its in limbo... Given the feedback we have I think I'll update the PR to signify exactly what was said. "ArgsEscaped" is a legacy compatibility with Docker and describe what it means. But mark it in the docs as deprecated and see if we can carry it from there. Sound good? |
|
Sweeeeeeeeeeet |
jterry75
force-pushed
the
jterry75/argsescaped
branch
from
2c84796
to
e61c68e
Compare
|
@jterry75 This looks good to me. Maybe we could try to clarify the exact behavior of what ArgsEscaped implies in Moby, but as we discussed it is quite complicated (and we don't want anyone to take a dependency on it if they don't have to). So I think this is fine. Maybe we should just add a note like "Exact behavior of ArgsEscaped is complex and subject to implementation details in Moby project"? |
jterry75
force-pushed
the
jterry75/argsescaped
branch
from
e61c68e
to
90ee76d
Compare
Do you want me to write that in the doc of the ArgsEscaped param or in the compat matrix part? |
Probably the doc. |
jterry75
force-pushed
the
jterry75/argsescaped
branch
from
90ee76d
to
43b3fca
Compare
|
@kevpar - Done. Ty |
|
Thanks for updating! I don't have a Windows system available to build an image with this. Is there a public example (repository:tag) I can use to test against some code? |
I created a simple repro on nanoserver which should make use of the argsEscaped field at cplatpublic.azurecr.io/args-escaped-test-image-ns:latest |
There was a problem hiding this comment.
Just one nit from me. I debated if this should be deprecated in the config.go following their defined method (https://go.dev/blog/godoc), but knowing how this would trigger build failures for anyone supporting legacy features, I'm leaning against that.
config.md
Outdated
| @@ -183,6 +183,10 @@ Note: Any OPTIONAL field MAY also be set to null, which is equivalent to being a | |||
|
|
|||
| The field contains the system call signal that will be sent to the container to exit. The signal can be a signal name in the format `SIGNAME`, for instance `SIGKILL` or `SIGRTMIN+3`. | |||
|
|
|||
| - **ArgsEscaped** *boolean*, OPTIONAL | |||
|
|
|||
| `[Deprecated]` - This field is present only for legacy compatibility with Docker and should not be used by new image builders. It is used by Docker for Windows images to indicate that the `Entrypoint` or `Cmd` or both, contains only a single element array, that is a pre-escaped, and combined into a single string `CommandLine`. If `true` the value in `Entrypoint` or `Cmd` should be used as-is to avoid double escaping. Note, the exact behavior of `ArgsEscaped` is complex and subject to implementation details in Moby project. | |||
There was a problem hiding this comment.
Nit: one sentence per line.
|
@kevpar / @dmcgowan - Any ideas? We certainly never handled ArgsEscaped for Linux case. Is there a type of Linux image that we need to be concerned with here? Also I dont see that it did anything in the example above. Yes its |
|
This is interesting. I'm not sure how As a test, I tried building a simple image on Linux with the following Dockerfile: FROM ubuntu:latest
ENTRYPOINT "echo foo"This produced an image with Regardless of if the value could be set on a Linux image, from what I can see the only place |
|
The images I'm building are from buildkit (and buildx), where it appears to be set on every image that defines a I don't think buildkit has support for windows yet (and definitely didn't when this was added). Pinging @tonistiigi in case there's any other use cases we should keep in mind. |
|
Don't spend any effort debugging the CI failures, they should be fixed with a rebase. |
|
@sudo-bmitch You can create windows images in buildkit, if not via wcow then with cross-compilation. If the analysis shows that no runtime uses it on linux we can drop it based on the platform check. |
@tonistiigi my bad, I was confusing with the native windows build that was holding buildkit back from being the default builder for so long, but that doesn't apply here. As long as you don't see a need for it on Linux, I'm good with getting this merged. We're not so concerned with changing buildkit as we are that we're getting the spec right, and setting this on Linux is undefined behavior that no one should care about. @jterry75 if you cleanup the nit and rebase, I'll add my LGTM and see if we can find a second maintainer to get this merged. |
This change officially adds ArgsEscaped to the image config. This field has already been used by Docker for several years, so adding it here allows images that depend on its behavior to work with other runtimes. Signed-off-by: Kevin Parsons <kevpar@microsoft.com> Signed-off-by: Justin Terry <jlterry@amazon.com>
jterry75
force-pushed
the
jterry75/argsescaped
branch
from
43b3fca
to
59780aa
Compare
|
Sorry folks didnt realize there was a NIT here. Done! |
| @@ -69,6 +69,8 @@ This section shows where the OCI Image Specification is compatible with formats | |||
| - `.config.MemorySwap`: only present in Docker, and reserved in OCI | |||
| - `.config.CpuShares`: only present in Docker, and reserved in OCI | |||
| - `.config.Healthcheck`: only present in Docker, and reserved in OCI | |||
| - [Moby/Docker](https://github.com/moby/moby) | |||
There was a problem hiding this comment.
This link doesn't seem needed
|
In the context of my making moby/buildkit#4723, I'm actually wondering why this is marked as deprecated? Windows does not use argc/argv (that behavior is implemented per-program) as the All this to say, single-string |
|
@tianon it was marked deprecated primarily because the exact way I agree that there should be proper recognition for Windows command line strings in the image config. My preference would probably be some new fields like |
|
I have to admit I don't really understand the "logic is complicated" argument 😅 The logic for setting it correctly during build sure is, but the runtime logic is pretty straightforward: args := append(append([]string{}, Entrypoint...), Cmd...)
escaped := []string{}
if ArgsEscaped {
escaped = append(escaped, args[0])
args = args[1:]
}
for _, a := range args {
escaped = append(escaped, golang.org/x/sys/windows.EscapeArg(a)
}
CommandLine := strings.Join(escaped, " ")(yes, most of this could be optimized with |
|
From what I can tell in containerd/containerd#6479 (comment), it's only complicated because there's a wrapper in use that turns |
This change officially adds ArgsEscaped to the image config. This field has already been used by Docker for several years, so adding it here allows images that depend on its behavior to work with other runtimes.
For certain Windows images created via Docker they may contain
ArgsEscaped==trueif the ENTRYPOINT or CMD is in theshellform and contains spaces, path characters, etc.An example is the following:
Will be encoded by Docker as:
You can see that
Entrypointbecomes a single element array with the entire argument list already escaped. To avoid a double escape problem Windows supports passing via OCI as a completeCommandLine.@kevpar - Please let me know if you do not want me to carry this as your change or don't wan't your signature on the commit. I wanted to give you credit since you originally opened #829.