From 86c6014145d5b8d4ea51f338beb9bddaa8b5a334 Mon Sep 17 00:00:00 2001 From: Matej Vasek Date: Mon, 28 Jun 2021 21:17:13 +0200 Subject: [PATCH] Implement --archive flag for podman cp Signed-off-by: Matej Vasek --- cmd/podman/containers/cp.go | 8 ++-- docs/source/markdown/podman-cp.1.md | 11 +++++- libpod/container_api.go | 4 +- libpod/container_copy_linux.go | 21 +++++----- pkg/api/handlers/compat/containers_archive.go | 11 ++++-- pkg/bindings/containers/archive.go | 12 +++++- pkg/bindings/containers/types.go | 8 ++++ pkg/bindings/containers/types_copy_options.go | 37 ++++++++++++++++++ pkg/bindings/internal/util/util.go | 10 +++-- pkg/domain/entities/containers.go | 7 ++++ pkg/domain/entities/engine_container.go | 2 +- pkg/domain/infra/abi/archive.go | 4 +- pkg/domain/infra/tunnel/containers.go | 4 +- test/apiv2/23-containersArchive.at | 16 +++++++- test/python/docker/compat/test_containers.py | 39 +++++++++++++++++++ test/system/065-cp.bats | 21 +++++++++- 16 files changed, 184 insertions(+), 31 deletions(-) create mode 100644 pkg/bindings/containers/types_copy_options.go diff --git a/cmd/podman/containers/cp.go b/cmd/podman/containers/cp.go index 0ad2588242..c1f1e27f58 100644 --- a/cmd/podman/containers/cp.go +++ b/cmd/podman/containers/cp.go @@ -28,13 +28,13 @@ var ( You can copy from the container's file system to the local machine or the reverse, from the local filesystem to the container. If "-" is specified for either the SRC_PATH or DEST_PATH, you can also stream a tar archive from STDIN or to STDOUT. The CONTAINER can be a running or stopped container. The SRC_PATH or DEST_PATH can be a file or a directory. ` cpCommand = &cobra.Command{ - Use: "cp [CONTAINER:]SRC_PATH [CONTAINER:]DEST_PATH", + Use: "cp [options] [CONTAINER:]SRC_PATH [CONTAINER:]DEST_PATH", Short: "Copy files/folders between a container and the local filesystem", Long: cpDescription, Args: cobra.ExactArgs(2), RunE: cp, ValidArgsFunction: common.AutocompleteCpCommand, - Example: "podman cp [CONTAINER:]SRC_PATH [CONTAINER:]DEST_PATH", + Example: "podman cp [options] [CONTAINER:]SRC_PATH [CONTAINER:]DEST_PATH", } containerCpCommand = &cobra.Command{ @@ -50,12 +50,14 @@ var ( var ( cpOpts entities.ContainerCpOptions + chown bool ) func cpFlags(cmd *cobra.Command) { flags := cmd.Flags() flags.BoolVar(&cpOpts.Extract, "extract", false, "Deprecated...") flags.BoolVar(&cpOpts.Pause, "pause", true, "Deprecated") + flags.BoolVarP(&chown, "archive", "a", true, `Chown copied files to the primary uid/gid of the destination container.`) _ = flags.MarkHidden("extract") _ = flags.MarkHidden("pause") } @@ -378,7 +380,7 @@ func copyToContainer(container string, containerPath string, hostPath string) er target = filepath.Dir(target) } - copyFunc, err := registry.ContainerEngine().ContainerCopyFromArchive(registry.GetContext(), container, target, reader) + copyFunc, err := registry.ContainerEngine().ContainerCopyFromArchive(registry.GetContext(), container, target, reader, entities.CopyOptions{Chown: chown}) if err != nil { return err } diff --git a/docs/source/markdown/podman-cp.1.md b/docs/source/markdown/podman-cp.1.md index f245ad1aa8..43ee4cdff0 100644 --- a/docs/source/markdown/podman-cp.1.md +++ b/docs/source/markdown/podman-cp.1.md @@ -4,9 +4,9 @@ podman\-cp - Copy files/folders between a container and the local filesystem ## SYNOPSIS -**podman cp** [*container*:]*src_path* [*container*:]*dest_path* +**podman cp** [*options*] [*container*:]*src_path* [*container*:]*dest_path* -**podman container cp** [*container*:]*src_path* [*container*:]*dest_path* +**podman container cp** [*options*] [*container*:]*src_path* [*container*:]*dest_path* ## DESCRIPTION Copy the contents of **src_path** to the **dest_path**. You can copy from the container's filesystem to the local machine or the reverse, from the local filesystem to the container. @@ -61,6 +61,13 @@ Note that `podman cp` ignores permission errors when copying from a running root ## OPTIONS +#### **--archive**, **-a** + +Archive mode (copy all uid/gid information). +When set to true, files copied to a container will have changed ownership to the primary uid/gid of the container. +When set to false, maintain uid/gid from archive sources instead of changing them to the primary uid/gid of the destination container. +The default is *true*. + ## ALTERNATIVES Podman has much stronger capabilities than just `podman cp` to achieve copy files between host and container. diff --git a/libpod/container_api.go b/libpod/container_api.go index b75d0b41dc..390bba7bbf 100644 --- a/libpod/container_api.go +++ b/libpod/container_api.go @@ -840,7 +840,7 @@ func (c *Container) ShouldRestart(ctx context.Context) bool { // CopyFromArchive copies the contents from the specified tarStream to path // *inside* the container. -func (c *Container) CopyFromArchive(ctx context.Context, containerPath string, tarStream io.Reader) (func() error, error) { +func (c *Container) CopyFromArchive(ctx context.Context, containerPath string, chown bool, tarStream io.Reader) (func() error, error) { if !c.batched { c.lock.Lock() defer c.lock.Unlock() @@ -850,7 +850,7 @@ func (c *Container) CopyFromArchive(ctx context.Context, containerPath string, t } } - return c.copyFromArchive(ctx, containerPath, tarStream) + return c.copyFromArchive(ctx, containerPath, chown, tarStream) } // CopyToArchive copies the contents from the specified path *inside* the diff --git a/libpod/container_copy_linux.go b/libpod/container_copy_linux.go index 0ab3228295..01e7ecacba 100644 --- a/libpod/container_copy_linux.go +++ b/libpod/container_copy_linux.go @@ -23,7 +23,7 @@ import ( "golang.org/x/sys/unix" ) -func (c *Container) copyFromArchive(ctx context.Context, path string, reader io.Reader) (func() error, error) { +func (c *Container) copyFromArchive(ctx context.Context, path string, chown bool, reader io.Reader) (func() error, error) { var ( mountPoint string resolvedRoot string @@ -62,13 +62,16 @@ func (c *Container) copyFromArchive(ctx context.Context, path string, reader io. } } - // Make sure we chown the files to the container's main user and group ID. - user, err := getContainerUser(c, mountPoint) - if err != nil { - unmount() - return nil, err + var idPair *idtools.IDPair + if chown { + // Make sure we chown the files to the container's main user and group ID. + user, err := getContainerUser(c, mountPoint) + if err != nil { + unmount() + return nil, err + } + idPair = &idtools.IDPair{UID: int(user.UID), GID: int(user.GID)} } - idPair := idtools.IDPair{UID: int(user.UID), GID: int(user.GID)} decompressed, err := archive.DecompressStream(reader) if err != nil { @@ -84,8 +87,8 @@ func (c *Container) copyFromArchive(ctx context.Context, path string, reader io. putOptions := buildahCopiah.PutOptions{ UIDMap: c.config.IDMappings.UIDMap, GIDMap: c.config.IDMappings.GIDMap, - ChownDirs: &idPair, - ChownFiles: &idPair, + ChownDirs: idPair, + ChownFiles: idPair, } return c.joinMountAndExec(ctx, diff --git a/pkg/api/handlers/compat/containers_archive.go b/pkg/api/handlers/compat/containers_archive.go index e119dc7cb0..a9d74e5f4e 100644 --- a/pkg/api/handlers/compat/containers_archive.go +++ b/pkg/api/handlers/compat/containers_archive.go @@ -9,6 +9,7 @@ import ( "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/pkg/api/handlers/utils" "github.com/containers/podman/v3/pkg/copy" + "github.com/containers/podman/v3/pkg/domain/entities" "github.com/containers/podman/v3/pkg/domain/infra/abi" "github.com/gorilla/schema" "github.com/pkg/errors" @@ -92,11 +93,13 @@ func handleHeadAndGet(w http.ResponseWriter, r *http.Request, decoder *schema.De func handlePut(w http.ResponseWriter, r *http.Request, decoder *schema.Decoder, runtime *libpod.Runtime) { query := struct { - Path string `schema:"path"` + Path string `schema:"path"` + Chown bool `schema:"copyUIDGID"` // TODO handle params below NoOverwriteDirNonDir bool `schema:"noOverwriteDirNonDir"` - CopyUIDGID bool `schema:"copyUIDGID"` - }{} + }{ + Chown: utils.IsLibpodRequest(r), // backward compatibility + } err := decoder.Decode(&query, r.URL.Query()) if err != nil { @@ -107,7 +110,7 @@ func handlePut(w http.ResponseWriter, r *http.Request, decoder *schema.Decoder, containerName := utils.GetName(r) containerEngine := abi.ContainerEngine{Libpod: runtime} - copyFunc, err := containerEngine.ContainerCopyFromArchive(r.Context(), containerName, query.Path, r.Body) + copyFunc, err := containerEngine.ContainerCopyFromArchive(r.Context(), containerName, query.Path, r.Body, entities.CopyOptions{Chown: query.Chown}) if errors.Cause(err) == define.ErrNoSuchCtr || os.IsNotExist(err) { // 404 is returned for an absent container and path. The // clients must deal with it accordingly. diff --git a/pkg/bindings/containers/archive.go b/pkg/bindings/containers/archive.go index 0178f63c33..52b73662b5 100644 --- a/pkg/bindings/containers/archive.go +++ b/pkg/bindings/containers/archive.go @@ -50,11 +50,21 @@ func Stat(ctx context.Context, nameOrID string, path string) (*entities.Containe } func CopyFromArchive(ctx context.Context, nameOrID string, path string, reader io.Reader) (entities.ContainerCopyFunc, error) { + return CopyFromArchiveWithOptions(ctx, nameOrID, path, reader, nil) +} + +// CopyFromArchiveWithOptions FIXME: remove this function and make CopyFromArchive accept the option as the last parameter in podman 4.0 +func CopyFromArchiveWithOptions(ctx context.Context, nameOrID string, path string, reader io.Reader, options *CopyOptions) (entities.ContainerCopyFunc, error) { conn, err := bindings.GetClient(ctx) if err != nil { return nil, err } - params := url.Values{} + + params, err := options.ToParams() + if err != nil { + return nil, err + } + params.Set("path", path) return func() error { diff --git a/pkg/bindings/containers/types.go b/pkg/bindings/containers/types.go index 0d22c32f86..db710d3daa 100644 --- a/pkg/bindings/containers/types.go +++ b/pkg/bindings/containers/types.go @@ -251,3 +251,11 @@ type ExistsOptions struct { // External checks for containers created outside of Podman External *bool } + +//go:generate go run ../generator/generator.go CopyOptions +// CopyOptions are options for copying to containers. +type CopyOptions struct { + // If used with CopyFromArchive and set to true it will change ownership of files from the source tar archive + // to the primary uid/gid of the target container. + Chown *bool `schema:"copyUIDGID"` +} diff --git a/pkg/bindings/containers/types_copy_options.go b/pkg/bindings/containers/types_copy_options.go new file mode 100644 index 0000000000..12ad085fd1 --- /dev/null +++ b/pkg/bindings/containers/types_copy_options.go @@ -0,0 +1,37 @@ +package containers + +import ( + "net/url" + + "github.com/containers/podman/v3/pkg/bindings/internal/util" +) + +/* +This file is generated automatically by go generate. Do not edit. +*/ + +// Changed +func (o *CopyOptions) Changed(fieldName string) bool { + return util.Changed(o, fieldName) +} + +// ToParams +func (o *CopyOptions) ToParams() (url.Values, error) { + return util.ToParams(o) +} + +// WithChown +func (o *CopyOptions) WithChown(value bool) *CopyOptions { + v := &value + o.Chown = v + return o +} + +// GetChown +func (o *CopyOptions) GetChown() bool { + var chown bool + if o.Chown == nil { + return chown + } + return *o.Chown +} diff --git a/pkg/bindings/internal/util/util.go b/pkg/bindings/internal/util/util.go index ef93d6e25e..bcf6959f21 100644 --- a/pkg/bindings/internal/util/util.go +++ b/pkg/bindings/internal/util/util.go @@ -72,14 +72,18 @@ func ToParams(o interface{}) (url.Values, error) { if reflect.Ptr == f.Kind() { f = f.Elem() } + paramName := fieldName + if pn, ok := sType.Field(i).Tag.Lookup("schema"); ok { + paramName = pn + } switch { case IsSimpleType(f): - params.Set(fieldName, SimpleTypeToParam(f)) + params.Set(paramName, SimpleTypeToParam(f)) case f.Kind() == reflect.Slice: for i := 0; i < f.Len(); i++ { elem := f.Index(i) if IsSimpleType(elem) { - params.Add(fieldName, SimpleTypeToParam(elem)) + params.Add(paramName, SimpleTypeToParam(elem)) } else { return nil, errors.New("slices must contain only simple types") } @@ -95,7 +99,7 @@ func ToParams(o interface{}) (url.Values, error) { return nil, err } - params.Set(fieldName, s) + params.Set(paramName, s) } } return params, nil diff --git a/pkg/domain/entities/containers.go b/pkg/domain/entities/containers.go index 8ed9b9b61b..302b35a47a 100644 --- a/pkg/domain/entities/containers.go +++ b/pkg/domain/entities/containers.go @@ -160,6 +160,13 @@ type CommitOptions struct { Writer io.Writer } +type CopyOptions struct { + // If used with ContainerCopyFromArchive and set to true + // it will change ownership of files from the source tar archive + // to the primary uid/gid of the destination container. + Chown bool +} + type CommitReport struct { Id string //nolint } diff --git a/pkg/domain/entities/engine_container.go b/pkg/domain/entities/engine_container.go index 4cd3cfd2ab..1b35135d0c 100644 --- a/pkg/domain/entities/engine_container.go +++ b/pkg/domain/entities/engine_container.go @@ -20,7 +20,7 @@ type ContainerEngine interface { ContainerCheckpoint(ctx context.Context, namesOrIds []string, options CheckpointOptions) ([]*CheckpointReport, error) ContainerCleanup(ctx context.Context, namesOrIds []string, options ContainerCleanupOptions) ([]*ContainerCleanupReport, error) ContainerCommit(ctx context.Context, nameOrID string, options CommitOptions) (*CommitReport, error) - ContainerCopyFromArchive(ctx context.Context, nameOrID string, path string, reader io.Reader) (ContainerCopyFunc, error) + ContainerCopyFromArchive(ctx context.Context, nameOrID, path string, reader io.Reader, options CopyOptions) (ContainerCopyFunc, error) ContainerCopyToArchive(ctx context.Context, nameOrID string, path string, writer io.Writer) (ContainerCopyFunc, error) ContainerCreate(ctx context.Context, s *specgen.SpecGenerator) (*ContainerCreateReport, error) ContainerDiff(ctx context.Context, nameOrID string, options DiffOptions) (*DiffReport, error) diff --git a/pkg/domain/infra/abi/archive.go b/pkg/domain/infra/abi/archive.go index 2ea63aa5e2..1a5bb6dc42 100644 --- a/pkg/domain/infra/abi/archive.go +++ b/pkg/domain/infra/abi/archive.go @@ -7,12 +7,12 @@ import ( "github.com/containers/podman/v3/pkg/domain/entities" ) -func (ic *ContainerEngine) ContainerCopyFromArchive(ctx context.Context, nameOrID string, containerPath string, reader io.Reader) (entities.ContainerCopyFunc, error) { +func (ic *ContainerEngine) ContainerCopyFromArchive(ctx context.Context, nameOrID, containerPath string, reader io.Reader, options entities.CopyOptions) (entities.ContainerCopyFunc, error) { container, err := ic.Libpod.LookupContainer(nameOrID) if err != nil { return nil, err } - return container.CopyFromArchive(ctx, containerPath, reader) + return container.CopyFromArchive(ctx, containerPath, options.Chown, reader) } func (ic *ContainerEngine) ContainerCopyToArchive(ctx context.Context, nameOrID string, containerPath string, writer io.Writer) (entities.ContainerCopyFunc, error) { diff --git a/pkg/domain/infra/tunnel/containers.go b/pkg/domain/infra/tunnel/containers.go index ccebfffa42..c02e368043 100644 --- a/pkg/domain/infra/tunnel/containers.go +++ b/pkg/domain/infra/tunnel/containers.go @@ -833,8 +833,8 @@ func (ic *ContainerEngine) ContainerPort(ctx context.Context, nameOrID string, o return reports, nil } -func (ic *ContainerEngine) ContainerCopyFromArchive(ctx context.Context, nameOrID string, path string, reader io.Reader) (entities.ContainerCopyFunc, error) { - return containers.CopyFromArchive(ic.ClientCtx, nameOrID, path, reader) +func (ic *ContainerEngine) ContainerCopyFromArchive(ctx context.Context, nameOrID, path string, reader io.Reader, options entities.CopyOptions) (entities.ContainerCopyFunc, error) { + return containers.CopyFromArchiveWithOptions(ic.ClientCtx, nameOrID, path, reader, new(containers.CopyOptions).WithChown(options.Chown)) } func (ic *ContainerEngine) ContainerCopyToArchive(ctx context.Context, nameOrID string, path string, writer io.Writer) (entities.ContainerCopyFunc, error) { diff --git a/test/apiv2/23-containersArchive.at b/test/apiv2/23-containersArchive.at index 688ca9f06f..c551647801 100644 --- a/test/apiv2/23-containersArchive.at +++ b/test/apiv2/23-containersArchive.at @@ -16,7 +16,7 @@ CTR="ArchiveTestingCtr" TMPD=$(mktemp -d podman-apiv2-test.archive.XXXXXXXX) HELLO_TAR="${TMPD}/hello.tar" echo "Hello" > $TMPD/hello.txt -tar --format=posix -C $TMPD -cvf ${HELLO_TAR} hello.txt &> /dev/null +tar --owner=1042 --group=1043 --format=posix -C $TMPD -cvf ${HELLO_TAR} hello.txt &> /dev/null podman run -d --name "${CTR}" "${IMAGE}" top @@ -72,6 +72,20 @@ if [ "$(tar -xf "${TMPD}/body.tar" hello.txt --to-stdout)" != "Hello" ]; then ARCHIVE_TEST_ERROR="1" fi +# test if uid/gid was set correctly in the server +uidngid=$($PODMAN_BIN --root $WORKDIR/server_root exec "${CTR}" stat -c "%u:%g" "/tmp/hello.txt") +if [[ "${uidngid}" != "1042:1043" ]]; then + echo -e "${red}NOK: UID/GID of the file doesn't match.${nc}" 1>&2; + ARCHIVE_TEST_ERROR="1" +fi + +# TODO: uid/gid should be also preserved on way back (GET request) +# right now it ends up as root:root instead of 1042:1043 +#if [[ "$(tar -tvf "${TMPD}/body.tar")" != *"1042/1043"* ]]; then +# echo -e "${red}NOK: UID/GID of the file doesn't match.${nc}" 1>&2; +# ARCHIVE_TEST_ERROR="1" +#fi + cleanUpArchiveTest if [[ "${ARCHIVE_TEST_ERROR}" ]] ; then exit 1; diff --git a/test/python/docker/compat/test_containers.py b/test/python/docker/compat/test_containers.py index be70efa670..511ab14517 100644 --- a/test/python/docker/compat/test_containers.py +++ b/test/python/docker/compat/test_containers.py @@ -1,13 +1,18 @@ +import io import subprocess import sys import time import unittest +from typing import IO, Optional from docker import DockerClient, errors +from docker.models.containers import Container from test.python.docker import Podman from test.python.docker.compat import common, constant +import tarfile + class TestContainers(unittest.TestCase): podman = None # initialized podman configuration for tests @@ -198,3 +203,37 @@ def test_filters(self): filters = {"name": "top"} ctnrs = self.client.containers.list(all=True, filters=filters) self.assertEqual(len(ctnrs), 1) + + def test_copy_to_container(self): + ctr: Optional[Container] = None + try: + test_file_content = b"Hello World!" + ctr = self.client.containers.create(image="alpine", detach=True, command="top") + ctr.start() + + buff: IO[bytes] = io.BytesIO() + with tarfile.open(fileobj=buff, mode="w:") as tf: + ti: tarfile.TarInfo = tarfile.TarInfo() + ti.uid = 1042 + ti.gid = 1043 + ti.name = "a.txt" + ti.path = "a.txt" + ti.mode = 0o644 + ti.type = tarfile.REGTYPE + ti.size = len(test_file_content) + tf.addfile(ti, fileobj=io.BytesIO(test_file_content)) + + buff.seek(0) + ctr.put_archive("/tmp/", buff) + ret, out = ctr.exec_run(["stat", "-c", "%u:%g", "/tmp/a.txt"]) + + self.assertEqual(ret, 0) + self.assertTrue(out.startswith(b'1042:1043'), "assert correct uid/gid") + + ret, out = ctr.exec_run(["cat", "/tmp/a.txt"]) + self.assertEqual(ret, 0) + self.assertTrue(out.startswith(test_file_content), "assert file content") + finally: + if ctr is not None: + ctr.stop() + ctr.remove() diff --git a/test/system/065-cp.bats b/test/system/065-cp.bats index eda04611f5..5778eb46e9 100644 --- a/test/system/065-cp.bats +++ b/test/system/065-cp.bats @@ -114,7 +114,7 @@ load helpers } -@test "podman cp file from host to container and check ownership" { +@test "podman cp (-a=true) file from host to container and check ownership" { srcdir=$PODMAN_TMPDIR/cp-test-file-host-to-ctr mkdir -p $srcdir content=cp-user-test-$(random_string 10) @@ -129,6 +129,25 @@ load helpers run_podman rm -f cpcontainer } +@test "podman cp (-a=false) file from host to container and check ownership" { + local tmpdir="${PODMAN_TMPDIR}/cp-test-file-host-to-ctr" + mkdir -p "${tmpdir}" + + pushd "${tmpdir}" + touch a.txt + tar --owner=1042 --group=1043 -cf a.tar a.txt + popd + + userid=$(id -u) + + run_podman run --user="$userid" --userns=keep-id -d --name cpcontainer $IMAGE sleep infinity + run_podman cp -a=false - cpcontainer:/tmp/ < "${tmpdir}/a.tar" + run_podman exec cpcontainer stat -c "%u:%g" /tmp/a.txt + is "$output" "1042:1043" "copied file retains uid/gid from the tar" + run_podman kill cpcontainer + run_podman rm -f cpcontainer +} + @test "podman cp file from/to host while --pid=host" { if is_rootless && ! is_cgroupsv2; then