fix docker cp -a failing to access / in container (run getent with a noop stdin)

[ndeloof]

fixes #45719 (actually, just a workaround)

- What I did
configure command to run getent to use a noop readCloser as stdin to prevent ENOENT failure to open /dev/null

- How I did it

- How to verify it
test case included

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[glours]

LGTM

[cpuguy83]

Seems like a strange thing:

$ getent passwd 1000 < /dev/null
cpuguy83:x:1000:1000:Ubuntu:/home/cpuguy83:/bin/bash

Also doing the same in go works just fine as well.

[neersighted]

I'm not convinced this is right at all either -- if nil Stdin is breaking something, I think that represents a regression in the Go runtime and not something to work around in Moby.

[ndeloof]

@neersighted I totally agree with you, this is at most a temporary workaround. Maybe this deserve a FIXME note
I have no explanation why os.Open(os.DevNull) fails in this specific scenario with:

fs.PathError {
Op = {string} "open"
Path = {string} "/dev/null"
Err = {error | syscall.Errno} github.com/docker/docker/vendor/github.com/cilium/ebpf/internal/unix.ENOENT (2)
}

but I haven't found any bug reported to the golang team related to such an issue, and have no idea how to investigate further.

[rumpl]

During copy the container filesystem is mounted and the archive code gets a view of that filesystem, /dev is not mounted there, that's why you get this error.

I tried adding a simple

if err := mount.Mount("/dev", dest, "tmpfs", "rbind"); err != nil {
	return err
}

But then the copy fails with getent unable to find entry "1000" in passwd database, which is the same error I get when I run cp -a on a 23.x version.

[neersighted]

It appears this isn't a regression then, but a subtle breaking change where the Go runtime depends on the /dev/null device node being available. I wonder if it's worth the trouble to provide some basic device nodes during copy -- likely this is more pragmatic, but it seems possible that we could run into similar issues in the future.

[ndeloof]

according to #45720 (comment) this is actually a reasonable fix, but need to add some comment to explain the reason for this. I'll update my PR on Monday

[neersighted]

'close' might be more accurate than 'mock'; but this is fine.

[thaJeztah]

LGTM

[thaJeztah]

Not a blocker; we probably could've used subtests for these

[thaJeztah]

Not a blocker; using assert.Check() allows the test to continue (assert.NilError() does a t.Fatal(), which in this case means we won't test the other cases if an earlier one fails)

Suggested change

	assert.NilError(t, err)
	assert.Check(t, err)