From 60737bd31985116b7cce47f221e8568e66ab73e0 Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Tue, 22 May 2018 19:53:28 -0400 Subject: dockerTools: fixes extraCommands for mkRootLayer. The extraCommands was, previously, simply put in the body of the script using nix expansion `${extraCommands}` (which looks exactly like bash expansion!). This causes issues like in #34779 where scripts will eventually create invalid bash. The solution is to use a script like `run-as-root`. * * * Fixes #34779 --- pkgs/build-support/docker/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'pkgs/build-support') diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index 374b71d42a39..34af6ad65b9f 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -360,7 +360,9 @@ rec { extraCommands ? "" }: # Generate an executable script from the `runAsRoot` text. - let runAsRootScript = shellScript "run-as-root.sh" runAsRoot; + let + runAsRootScript = shellScript "run-as-root.sh" runAsRoot; + extraCommandsScript = shellScript "extra-commands.sh" extraCommands; in runWithOverlay { name = "docker-layer-${name}"; @@ -398,7 +400,7 @@ rec { ''; postUmount = '' - (cd layer; eval "${extraCommands}") + (cd layer; ${extraCommandsScript}) echo "Packing layer..." mkdir $out -- cgit 1.4.1 From 8f71ce7e80caad32bfd4e85fb67c4e9fbca5a82d Mon Sep 17 00:00:00 2001 From: Antoine Eiche Date: Thu, 24 May 2018 10:33:18 +0200 Subject: skopeo: 0.1.29 -> 0.1.30 Skopeo used by our docker tools was patched to work in the build sandbox (it used /var/tmp which is not available in the sandbox). Since this temporary directory can now be set at build time, we remove the patch from our docker tools. --- pkgs/build-support/docker/default.nix | 10 +--------- pkgs/development/tools/skopeo/default.nix | 10 +++++++--- 2 files changed, 8 insertions(+), 12 deletions(-) (limited to 'pkgs/build-support') diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index 374b71d42a39..0aded149dd2d 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -52,15 +52,7 @@ rec { outputHashAlgo = "sha256"; outputHash = sha256; - # One of the dependencies of Skopeo uses a hardcoded /var/tmp for storing - # big image files, which is not available in sandboxed builds. - nativeBuildInputs = lib.singleton (pkgs.skopeo.overrideAttrs (drv: { - postPatch = (drv.postPatch or "") + '' - sed -i -e 's!/var/tmp!/tmp!g' \ - vendor/github.com/containers/image/storage/storage_image.go \ - vendor/github.com/containers/image/internal/tmpdir/tmpdir.go - ''; - })); + nativeBuildInputs = lib.singleton (pkgs.skopeo); SSL_CERT_FILE = "${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt"; sourceURL = "docker://${imageName}@${imageDigest}"; diff --git a/pkgs/development/tools/skopeo/default.nix b/pkgs/development/tools/skopeo/default.nix index bb99e887ac6f..0535a11e0ceb 100644 --- a/pkgs/development/tools/skopeo/default.nix +++ b/pkgs/development/tools/skopeo/default.nix @@ -5,13 +5,13 @@ with stdenv.lib; let - version = "0.1.29"; + version = "0.1.30"; src = fetchFromGitHub { rev = "v${version}"; owner = "projectatomic"; repo = "skopeo"; - sha256 = "1lhzbyj2mm25x12s7g2jx4v8w19izjwlgx4lml13r5yy1spn65k2"; + sha256 = "10lpiiki7mlhrp4bid40wys3lch7fars1whxsa5gy0frfgp89ghn"; }; defaultPolicyFile = runCommand "skopeo-default-policy.json" {} "cp ${src}/default-policy.json $out"; @@ -30,7 +30,11 @@ buildGoPackage rec { nativeBuildInputs = [ pkgconfig (lib.getBin go-md2man) ]; buildInputs = [ gpgme libgpgerror devicemapper btrfs-progs ostree libselinux ]; - buildFlagsArray = "-ldflags= -X github.com/projectatomic/skopeo/vendor/github.com/containers/image/signature.systemDefaultPolicyPath=${defaultPolicyFile}"; + buildFlagsArray = '' + -ldflags= + -X github.com/projectatomic/skopeo/vendor/github.com/containers/image/signature.systemDefaultPolicyPath=${defaultPolicyFile} + -X github.com/projectatomic/skopeo/vendor/github.com/containers/image/internal/tmpdir.unixTempDirForBigFiles=/tmp + ''; preBuild = '' export CGO_CFLAGS="-I${getDev gpgme}/include -I${getDev libgpgerror}/include -I${getDev devicemapper}/include -I${getDev btrfs-progs}/include" -- cgit 1.4.1 From 902b0593be857e4f19b9875638af6e854aa99a9b Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Tue, 22 May 2018 20:25:04 -0400 Subject: tests/docker-tools: Adds regression test for #34779 --- nixos/tests/docker-tools.nix | 6 ++++++ pkgs/build-support/docker/examples.nix | 12 ++++++++++++ 2 files changed, 18 insertions(+) (limited to 'pkgs/build-support') diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 4466081d01e9..e2bcfbbd1f96 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -45,5 +45,11 @@ import ./make-test.nix ({ pkgs, ... }: { $docker->succeed("docker load --input='${pkgs.dockerTools.examples.onTopOfPulledImage}'"); $docker->succeed("docker run --rm ontopofpulledimage hello"); $docker->succeed("docker rmi ontopofpulledimage"); + + # Regression test for issue #34779 + $docker->succeed("docker load --input='${pkgs.dockerTools.examples.runAsRootExtraCommands}'"); + $docker->succeed("docker run --rm runasrootextracommands cat extraCommands"); + $docker->succeed("docker run --rm runasrootextracommands cat runAsRoot"); + $docker->succeed("docker rmi '${pkgs.dockerTools.examples.runAsRootExtraCommands.imageName}'"); ''; }) diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix index eb5b9fe36e41..ca7f78093794 100644 --- a/pkgs/build-support/docker/examples.nix +++ b/pkgs/build-support/docker/examples.nix @@ -124,4 +124,16 @@ rec { fromImage = nixFromDockerHub; contents = [ pkgs.hello ]; }; + + # 8. regression test for erroneous use of eval and string expansion. + # See issue #34779 and PR #40947 for details. + runAsRootExtraCommands = pkgs.dockerTools.buildImage { + name = "runAsRootExtraCommands"; + contents = [ pkgs.coreutils ]; + # The parens here are to create problematic bash to embed and eval. In case + # this is *embedded* into the script (with nix expansion) the initial quotes + # will close the string and the following parens are unexpected + runAsRoot = ''echo "(runAsRoot)" > runAsRoot''; + extraCommands = ''echo "(extraCommand)" > extraCommands''; + }; } -- cgit 1.4.1