design proposal 01: filesystem resolution #1048
Conversation
| => ERROR | ||
| ``` | ||
|
|
||
| Given some path `/usr/foo/bar` which is a link to `/dev/null`, and `/dev` is |
There was a problem hiding this comment.
What happens when a docker files has a command
Copy some_bin /var/run/some_bin
/var/run is whitelisted.
In this scenario, Docker would create /var/run/some_bin in the layer.
There was a problem hiding this comment.
I'm not sure, what do we currently do when the destination of a copy command is a whitelisted path?
There was a problem hiding this comment.
Right now, for Copy and ADD command we do the following
- Resolve source and dest by substituting any env varaibles
- Resolve any wild cards in sources
- Get Relative source file path respect to root path. In this step,
- we apply
CheckWhitelist(path) && !HasFilepathPrefix(path, root, false) - if
/var/runis ignored, then this condition should return true for/var/run/some_bin - if
/var/runis ignores then this condition should return false forvar/run/another_dir/some_bin
- we apply
For copying symlink dir targeted to a whitelisted path, there is another flow.
We should simplify this but probably not in scope for this proposal
There was a problem hiding this comment.
So what is the end result? Do we copy the file to the whitelist destination?
There was a problem hiding this comment.
I did a quick test
FROM ubuntu:16.04
COPY meow.txt /var/run
docker
ls /var/run
=> initctl lock log meow.txt mount sendsigs.omit.d shm systemd user utmp
kaniko
ls /var/run
=> /var/run
There was a problem hiding this comment.
Interestingly
FROM ubuntu:16.04
COPY meow.txt /var/run/meow.txt
docker
ls /var/run
=> initctl lock log meow.txt mount sendsigs.omit.d shm systemd user utmp
kaniko
ls /var/run
=> /var/run/meow.txt
cvgw
force-pushed
the
u/cgwippern/design-proposal-01-filesystem-resolution
branch
from
3b81ef9
to
002642e
Compare
Fixes #1047
Description
Design proposal for how to handle resolving the filesystem
Submitter Checklist
Reviewer Notes
Release Notes