Skip to content

Fix #3091 enforce all outgoing tar files to use PAX#3141

Merged
justincormack merged 1 commit intolinuxkit:masterfrom
masterzen:fix/3091-enforce-PAX-for-all-files
Jul 29, 2018
Merged

Fix #3091 enforce all outgoing tar files to use PAX#3141
justincormack merged 1 commit intolinuxkit:masterfrom
masterzen:fix/3091-enforce-PAX-for-all-files

Conversation

@masterzen
Copy link
Copy Markdown
Contributor

@masterzen masterzen commented Jul 27, 2018

fixes #3091

- What I did

While processing the content of a tar image, linuxkit's moby tool was
blindly reusing the original tar format.

Moreover it locates the file under a new prefix, so if the original
file was stored as USTAR in the original archive, the filename length
and new prefix could be greater than the USTAR limit leading
to a fatal error.

- How I did it

The fix is to always enforce PAX format on all copied files from the
original image archive.

- How to verify it

Use the following minimal yaml:

kernel:
  image: linuxkit/kernel:4.9.87
  cmdline: "console=ttyS0"
init:
  - linuxkit/init:6061875ba11fd9c563fda6234b103ed9997ff782
  - linuxkit/runc:52ecfdef1ae051e7fd5ac5f1d0b7dd859adff015
  - linuxkit/containerd:13f62c61f0465fb07766d88b317cabb960261cbb
onboot:
  - name: dhcpcd
    image: linuxkit/dhcpcd:v0.2
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
  # Enable getty for easier debugging
  - name: getty
    image: linuxkit/getty:44730fd0a7c59dbacf5b48b54ba33f551bcf7ef0
    env:
        - INSECURE=true
  - name: elasticsearch
    image: docker.elastic.co/elasticsearch/elasticsearch:5.6.10
    capabilities:
      - all
    net: host
    uid: 1000
    gid: 1000
    env:
      - ES_JAVA_OPTS=-Xms256m -Xmx256m
      - xpack.security.enabled=false
    binds:
      - /etc/resolv.conf:/etc/resolv.conf
    cwd: /usr/share/elasticsearch
trust:
  org:
    - linuxkit
    - library

- Description for the changelog

Prevent fatal error while processing incoming USTAR formatted tar container image

- A picture of a cute animal (not mandatory but encouraged)

wombat

This was referenced Jul 27, 2018
Closed
Closed
@justincormack
Copy link
Copy Markdown
Member

justincormack commented Jul 27, 2018

I think you should set the header format in each branch here that writes a header, as it is set when creating the first header, and one of the other branches might come first, eg the replace branch (its pretty unlikely as there will be directories but its cleaner).

Fix linuxkit#3091 enforce all outgoing tar files to use PAX
7a7f5f6 
While processing the content of a tar image, linuxkit's moby tool is
blindly reusing the original tar format.

Moreover it locates the files under a new prefix, so if the original
file was stored as USTAR in the original archive, the filename length
and new prefix could be greater than the USTAR name limit leading
to a fatal error.

The fix is to always enforce PAX format on all copied files from the
original image archive.

Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
@masterzen masterzen force-pushed the fix/3091-enforce-PAX-for-all-files branch from f670f5a to 7a7f5f6 Compare July 29, 2018 09:04
@masterzen
Copy link
Copy Markdown
Contributor Author

masterzen commented Jul 29, 2018

@justincormack, you're definitely right.
I moved the hdr.Format = tar.FormatPAX so that it covers all branches (replace and copy).
Let me know if you have any other comment.
Thanks,

@justincormack justincormack merged commit 4968390 into linuxkit:master Jul 29, 2018
@rn rn mentioned this pull request Aug 10, 2018
Closed
@ondrej-smola ondrej-smola mentioned this pull request Jul 21, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justincormack justincormack justincormack approved these changes

Assignees

No one assigned

Labels

status/0-triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

linuxkit build cannot encode header

3 participants

@masterzen @justincormack @GordonTheTurtle