Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dockerTools: Fix streamLayeredImage for symlinks #108416

Merged
merged 2 commits into from Jan 5, 2021
Merged

dockerTools: Fix streamLayeredImage for symlinks #108416

merged 2 commits into from Jan 5, 2021

Conversation

srhb
Copy link
Contributor

@srhb srhb commented Jan 4, 2021

When archiving /nix/store/foo and foo is itself a symlink, we must
not traverse the symlink target, but archive the foo symlink itself

I think this is sufficient to fix #107021 but I don't know a lot about the streaming mechanics here.

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@srhb
dockerTools: Fix streamLayeredImage for symlinks
08b0d02 
When archiving `/nix/store/foo` and `foo` is itself a symlink, we must
not traverse the symlink target, but archive the `foo` symlink itself
@srhb srhb requested a review from roberth as a code owner January 4, 2021 18:50
@srhb srhb requested a review from utdemir January 4, 2021 18:50
@srhb
Copy link
Contributor Author

srhb commented Jan 4, 2021

@GrahamcOfBorg test docker-tools

@roberth
Copy link
Member

roberth commented Jan 4, 2021

Could you turn your example from the issue into a regression test?
Those are in nixos/tests/docker-tools.nix. You can add the image to pkgs/build-support/docker/examples.nix (or a new file for regression test images if you like).

The fix seems to make sense, but I'd appreciate a review by @utdemir.

@srhb
Copy link
Contributor Author

srhb commented Jan 4, 2021

@GrahamcOfBorg test docker-tools

@ofborg ofborg bot added the 6.topic: nixos label Jan 4, 2021
@srhb
dockerTools: Test buildLayeredImage with symlinks
ffe5ff6 
This exercises layer creation in face of store path symlinks, ensuring
they are not dereferenced, which can lead to broken layer tarballs
@srhb srhb force-pushed the streamlayeredimage-symlinked-storepaths branch from a16c85c to ffe5ff6 Compare January 4, 2021 20:45
@roberth
Copy link
Member

roberth commented Jan 4, 2021

@GrahamcOfBorg test docker-tools

utdemir
utdemir approved these changes Jan 4, 2021
View reviewed changes
Copy link
Member

@utdemir utdemir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does look good to me, given the tests pass. And I appreciate the test case.

@roberth
Copy link
Member

roberth commented Jan 5, 2021

Great! Thank you @srhb and @utdemir!

@roberth roberth merged commit 5540dd9 into NixOS:master Jan 5, 2021
@srhb srhb deleted the streamlayeredimage-symlinked-storepaths branch January 5, 2021 09:54
@purcell
Copy link
Member

purcell commented Jan 5, 2021

Nice, thanks for this fix! 🏆

@yurrriq
Copy link
Member

yurrriq commented Jan 6, 2021

Thank you!

@yurrriq yurrriq mentioned this pull request Jan 6, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@utdemir utdemir utdemir approved these changes

@roberth roberth Awaiting requested review from roberth roberth is a code owner

Assignees
No one assigned
Labels
6.topic: nixos 8.has: documentation 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

buildLayeredImage has surprising behaviour wrt. symlink paths on different backends
5 participants
@srhb @roberth @purcell @yurrriq @utdemir