dockerConfigFile.GetCredentialsStore.Store faulty symlink resolution behavior #3413
Comments
As described in containerd#3413 there seems to be a fault in docker credentials store that makes relative symlinks resolve to pwd instead of where they are. This in turn will break our test if the current working directory is read-only (typical with Lima). This changeset does Chdir to the parent temp directory so we can workaround that problem. Signed-off-by: apostasie <[email protected]>
|
This ticket is both about making sure our tests work (fixed by the linked PR), but we could keep it around as "external" for now as well - or if somebody wants to, we might further diagnose it and report it to moby. |
As described in containerd#3413 there seems to be a fault in docker credentials store that makes relative symlinks resolve to pwd instead of where they are. This in turn will break our test if the current working directory is read-only (typical with Lima). This changeset does Chdir to the parent temp directory so we can workaround that problem. Signed-off-by: apostasie <[email protected]>
|
@thaJeztah you might want to fix this ^. Readlink does not resolve the path for you, and by the time you write it, it will be relative to cwd. You might consider using instead But then... you do MkdirAll before resolving the links (https://github.com/docker/cli/blob/master/cli/config/configfile/file.go#L144-L147), so... you will fail mkdir-ing where the link(s) actually resolve... I certainly appreciate that an atomic write is the right thing to do, but in that case, you just cannot get away with it with just readlink... This is not exactly trivial... Let me know if I am missing something and/or if there is a simpler way to deal with this in go... |
AkihiroSuda
added
kind/external
and removed
kind/unconfirmed-bug-claim
|
@apostasie thanks! Yes, looks like a tricky one. Could you open a ticket for this in docker/cli ? |
Sure, will do eventually - it might take me some time though (busy with here), so feel free to carry it if you do have bandwidth now. Thanks @thaJeztah ! |
apostasie
changed the title
As described in containerd#3413 there seems to be a fault in docker credentials store that makes relative symlinks resolve to pwd instead of where they are. This in turn will break our test if the current working directory is read-only (typical with Lima). This changeset does Chdir to the parent temp directory so we can workaround that problem. Signed-off-by: apostasie <[email protected]>
As described in containerd#3413 there seems to be a fault in docker credentials store that makes relative symlinks resolve to pwd instead of where they are. This in turn will break our test if the current working directory is read-only (typical with Lima). This changeset does Chdir to the parent temp directory so we can workaround that problem. Signed-off-by: apostasie <[email protected]>
As described in containerd#3413 there seems to be a fault in docker credentials store that makes relative symlinks resolve to pwd instead of where they are. This in turn will break our test if the current working directory is read-only (typical with Lima). This changeset does Chdir to the parent temp directory so we can workaround that problem. Signed-off-by: apostasie <[email protected]>
Description
When DOCKER_CONFIG points to a directory that does contain a relative,
danglingconfig.jsonsymlink, Docker credentials store will (apparently) wrongly resolve the link to the current working directory.This can be reproduced with the following:
This does suggest there is a bug in moby/docker somewhere where readlink is used to resolve against pwd instead of the parent dir (/tmp/foo).
In turn, if, for some reason, the file cannot be created in the current working directory (for example if it is readonly), this will error in a very baffling way with a very confusing message:
First spotted in #3293 (review) although at the time I was unable to diagnose it.
While this is very likely a docker bug, we need to fix these tests to deal with that.
Steps to reproduce the issue
No response
Describe the results you received and expected
na
What version of nerdctl are you using?
main
Are you using a variant of nerdctl? (e.g., Rancher Desktop)
None
Host information
No response
The text was updated successfully, but these errors were encountered: