wildcard directories not implemented correctly in dockerignore

[nicks]

Description

wildcard directory matching in dockerignore (the double asterisk **) is not implemented correctly and buggy in some cases

Steps to reproduce the issue:

1. Dockerfile:

FROM busybox
WORKDIR /src
ADD . .
RUN find .

2. .dockerignore:

**/c
!a/b/c/include.txt
.git

3. Create files "a/b/c/include.txt" and "a/b/c/exclude.txt"

4. Run docker build --no-cache .

Describe the results you received:

a/b/c/exclude.txt should be ignored

Describe the results you expected:

a/b/c/exclude.txt is included in the docker context

Additional information you deem important (e.g. issue happens only occasionally):

This repo has a more complete explanation of the bug:

https://github.com/tilt-dev/dockerignore-wildcard-bug

The underlying bug is this code:

https://github.com/moby/moby/blob/v19.03.12/pkg/fileutils/fileutils.go#L83

which assumes that the number of directory separators in the pattern can be used to determine the "directory" length, which is not a correct assumption when wildcards are present.

Interestingly, the exclude pattern is necessary to reproduce this problem. That's because this code:

https://github.com/moby/moby/blob/v19.03.12/pkg/archive/archive.go#L843

skips directories purely as an optimization. Adding an exclusion pattern (!a/b/c/include.txt) makes this code go down the "slow" codepath.

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.11
 API version:       1.40
 Go version:        go1.13.10
 Git commit:        42e35e61f3
 Built:             Mon Jun  1 09:12:22 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.11
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.10
  Git commit:       42e35e61f3
  Built:            Mon Jun  1 09:10:54 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

[thaJeztah]

Thanks for reporting; looks like related /similar to #30018

I also created an epic around handling of .dockerignore; #40319 (contributions welcome 😅)

[nicks]

hmmm...I can see why you think they're similar, but #30018 is a bug in the optimization that skips directories, and this is a bug in the core matcher.

i ended up forking and rolling a fix in tilt-dev/dockerignore#4 for our own purposes...happy to try to contribute it upstream if you'd like.

[thaJeztah]

contributions are definitely welcome <3; there's quite some gaps in the dockerignore inplementation that will have to be verified/looked into (which is why I created the epic in #40319)

It might be worth trying if building with buildkit enabled (DOCKER_BUILDKIT=1) resolves the issue; buildkit is the next generation builder, and will at some point replace the classic builder as they default. BuildKit is more performant for most cases, and is "production" ready (but not yet enabled by default; see #40379)

[tscni]

As an additional note, the optimization logic in https://github.com/moby/moby/blob/v19.03.12/pkg/archive/archive.go#L854 will still lead to issues, even if the pattern were to match correctly.
E.g. TarWithOptions() with a context containing

/ignore/a.txt

and a .dockerignore with

**/ignore
!**/ignore/a.txt

will not add /ignore/a.txt to the tar.

I suppose this needs a function to match a path prefix against all exclude patterns.

Edit: Oh I see, that's pretty much #30018

[nicks]

I think this bug should be reopened? because the fix had to be reverted. the bug is still present for me at 20.10.14