Fix docker cp when container source path is /

[tiborvass]

Another attempt at fixing #39348
Fixes #39348
Previous attempt at #39351

Before 7a7357d, archive.TarResourceRebase was being used to copy files
and folders from the container. That function splits the source path
into a dirname + basename pair to support copying a file:
if you wanted to tar dir/file it would tar from dir the file file
(as part of the IncludedFiles option).

However, that path splitting logic was kept for folders as well, which
resulted in weird inputs to archive.TarWithOptions:
if you wanted to tar dir1/dir2 it would tar from dir1 the directory
dir2 (as part of IncludedFiles option).

Although it was weird, it worked fine until we started chrooting into
the container rootfs when doing a docker cp with container source set
to / (cf 3029e76 (#39292)).

The fix is to only do the path splitting logic if the source is a file.

Unfortunately, 7a7357d added support for LCOW by duplicating some of
this subtle logic. Ideally we would need to do more refactoring of the
archive codebase to properly encapsulate these behaviors behind well-
documented APIs.

This fix does not do that. Instead, it fixes the issue inline.

Signed-off-by: Tibor Vass tibor@docker.com

I added a couple of more tests than the actual issue needs, just to make sure there are no other regressions compared to before the cve fix (3029e76).

Huge thanks to @cpuguy83 ❤️who worked tirelessly with me to understand the code and make this PR.

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@4dc6b21). Click here to learn what that means.
The diff coverage is 0%.

@@            Coverage Diff            @@
##             master   #39357   +/-   ##
=========================================
  Coverage          ?   36.97%           
=========================================
  Files             ?      612           
  Lines             ?    45645           
  Branches          ?        0           
=========================================
  Hits              ?    16877           
  Misses            ?    26480           
  Partials          ?     2288

[cpuguy83]

15:29:30 --- FAIL: TestCopyFromContainerRoot (1.83s)
15:29:30     copy_test.go:146: assertion failed: expression is false: found["/foo"]: /foo file not found in archive
15:29:30     copy_test.go:147: assertion failed: expression is false: found["/bar/baz"]: /bar/baz file not found in archive

[tiborvass]

Ping @cpuguy83 @thaJeztah @tonistiigi @justincormack

[cpuguy83]

LGTM

[tonistiigi]

I think this should be

if symlink {
opts = rebase
}

and always archivePath(resolvedPath).

Would be more understandable what is actually happening and wouldn't need the hack for removing the slash in the walker. But functionally they seem equivalent.

[tiborvass]

Agreed. Can be done in a follow up.

[tiborvass]

@thaJeztah @kolyshkin updated with small requested change.

[tiborvass]

Failure is TestAPISwarmLeaderElection which is unrelated

[thaJeztah]

LGTM

[thaJeztah]

Looks like s390x passed, but is hanging on the cleanup; https://jenkins.dockerproject.org/job/Docker-PRs-s390x/14591/console

06:06:03 OK: 1421 passed, 81 skipped
06:06:03 PASS
06:06:03 ---> Making bundle: .integration-daemon-stop (in bundles/test-integration)
06:06:16 Clearing AppArmor profiles cache:.
06:06:16 All profile caches have been cleared, but no profiles have been unloaded.
06:06:16 Unloading profiles will leave already running processes permanently
06:06:16 unconfined, which can lead to unexpected situations.
06:06:16 
06:06:16 To set a process to complain mode, use the command line tool
06:06:16 'aa-complain'. To really tear down all profiles, run the init script
06:06:16 with the 'teardown' option."
06:06:16 Removing test suite binaries