Reset uid/gid to 0 in build context to fix cache busting issues on ADD/COPY in stream mode

[shouze]

- What I did

Fix of moby/moby#32816 for stream mode. This is a follow up of #513. Also related to tonistiigi/fsutil#10 & moby/buildkit#126

- How I did it

By resetting uid/gid to 0/0 in the build context in stream mode.

- How to verify it

go test -v ./cli/command/image -run TestRunBuildResetsUidAndGidInContextWithStreamMode

- Description for the changelog

Reset uid/gid to 0 in build context to fix cache busting issues on
ADD/COPY in stream mode

- A picture of a cute animal (not mandatory but encouraged)

[shouze]

@tonistiigi I currently have this failure, any idea why? I admit I've still not looked for, just written the test as I was believing it should be implemented. Also I can merge TestRunBuildResetsUidAndGidInContextWithStreamMode & TestRunBuildResetsUidAndGidInContext in a next move and manage stream option as a test case, WDYT?

=== RUN   TestRunBuildResetsUidAndGidInContextWithStreamMode
--- FAIL: TestRunBuildResetsUidAndGidInContextWithStreamMode (0.00s)
        Error Trace:    build_test.go:52
	Error:      	Received unexpected error:
	            	open Dockerfile: no such file or directory
	            	failed to open Dockerfile
	            	github.com/docker/cli/cli/command/image.runBuild
	            		/go/src/github.com/docker/cli/cli/command/image/build.go:267
	            	github.com/docker/cli/cli/command/image.TestRunBuildResetsUidAndGidInContextWithStreamMode
	            		/go/src/github.com/docker/cli/cli/command/image/build_test.go:51
	            	testing.tRunner
	            		/usr/local/go/src/testing/testing.go:657
	            	runtime.goexit
	            		/usr/local/go/src/runtime/asm_amd64.s:2197

[dnephin]

I think they make sense as separate test cases for now.

You might try rebasing on #294 to see if the bug still exists.

I suspect you'll need to provide another function to the fake for the client session endpoint, but I don't think that's related to the error you're hitting now.

[dnephin]

Shouldn't all of these be in a single SyncedDir instead of 3 separate ones?

I'm alsonot seeing a Map field in master,so we should wait for moby/buildkit#126 to merge and vendor in master instead of the PR branch.

[shouze]

Yes.. only one you're right 😊 . And yes Map is part of moby/buildkit#126 this PR needs to use master of course before merge.

[shouze]

@dnephin I've rebased with #294 and the bug remains. I still need to figure out why I have this Dockerfile error in stream mode. I guess I don't reproduce the way that stream mode currently works in the test, will investigate further.

[shouze]

@tonistiigi @dnephin ok so I've tooked a look further and... the Dockerfile error is related to:

cli/cli/command/image/build.go

Lines 262 to 270 in bd6e175

	// if streaming and dockerfile was not from stdin then read from file
	// to the same reader that is usually stdin
	if options.stream && dockerfileCtx == nil {
	dockerfileCtx, err = os.Open(relDockerfile)
	if err != nil {
	return errors.Wrapf(err, "failed to open %s", relDockerfile)
	}
	defer dockerfileCtx.Close()
	}

BTW, If I comment this statement or if I use a Dockerfile from stdin, then I get this error from the fakeCli:

=== RUN   TestRunBuildResetsUidAndGidInContextWithStreamMode
--- FAIL: TestRunBuildResetsUidAndGidInContextWithStreamMode (0.00s)
        Error Trace:    build_test.go:31
	            	client_test.go:121
	            	build.go:390
	            	build_test.go:51
	Error:      	Received unexpected error:
	            	Empty archive
FAIL

@tonistiigi looks like it's ok as stream mode maybe don't produce a tar archive in fact?

if I dump some interesting fakeImage args in my test:

• context is nil
• options:
  • SessionID & RemoteContext remains undefined

Maybe because there's an async build process here with the session which is dialed, it there a way to wait against this async process?

[dnephin]

I think it is expected that stream doesn't produce an archive, it would send files using the stream.

We need to fake the client lib parts for the session call as well I think, but I'm not sure if that's related to the error.

[shouze]

Yes from what I've read stream mode uses diffcopy (was supporting a tarstream mode in the past but removed). Ok will look around to fake client lib parts for the session but yes for the original error about the Dockerfile I still don't know, will probably find on my way. Thank you.

[shouze]

Not that easy BTW as I probably have to fake the build_session... but in the same time.... my patch is on addDirToSession in build_session! So... maybe it worth instead to write a unit test for this addDirToSession only in build_session?

[dnephin]

A unit test for addDirToSession seems appropriate.

[shouze]

@dnephin @tonistiigi ok I guess the best is to mock/fake the session here instead of using the true one. @tonistiigi does it worth that builkit provides a session faker at some point? I can put it in the cli ATM.

[dnephin]

Having the CLI depend on a type Session interface{...} instead of the struct would be great, then it should be easy for us to fake.

A fake as part of the CLI testing code sounds fine to me.

[codecov-io]

Codecov Report

Merging #549 into master will increase coverage by 0.17%.
The diff coverage is 50%.

@@            Coverage Diff             @@
##           master     #549      +/-   ##
==========================================
+ Coverage   49.49%   49.66%   +0.17%     
==========================================
  Files         208      208              
  Lines       17153    17164      +11     
==========================================
+ Hits         8490     8525      +35     
+ Misses       8231     8203      -28     
- Partials      432      436       +4

[thaJeztah]

this needs a rebase now, @shouze 😢

[shouze]

@thaJestah, yes and even if green I need to introduce the session interface and to fake it prior to be able to write the good test.

I’ll be back on this soon.

[thaJeztah]

No worries, thanks! Let us know if you need help 👍

[thaJeztah]

friendly nudge @shouze 🤗

[vdemeester]

@shouze @dnephin @thaJeztah as I understand it's a bit tied to #294 and other build/build session enhancement. Given the activity, should we close this one and consolidate the work of all this in one PR ? ⚓️

[dnephin]

I think this is a bug fix not a cleanup.

Needs a rebase, I think we've updated the dependencies already, so maybe the PR will be smaller after the rebase.

[dnephin]

But I guess there was no response from @shouze since the ping in Oct, so we can close for now.

If you're still interested in contributing this fix please let us know and we can re-open the PR.

[tonistiigi]

@thaJeztah @dnephin It is a big problem that we can't get these trivial fixes that are essentially a single line fix in anymore. The vendored component is already unit tested. With previous repository layout it would have been trivial to add an integration test that checks the actual feature (btw I think we still don't have a test for that although the original issue in moby is closed - we only have some tests that run internal functions with mock wrappers in a different repo). Atm we only have a caller that doesn't really have any functionality at all and we expect to mock all the functionality around that caller. It is not reasonable nor will improve quality.

[dnephin]

I agree it's an issue. Which is why we need to merge #294 to fix it.

Atm we only have a caller that doesn't really have any functionality at all and we expect to mock all the functionality around that caller.

What is the caller?

[tonistiigi]

What is the caller?

Code that only takes configuration passed by user and calls to other packages with public go/http API, then takes the response from these calls and shows to the user.

[dnephin]

That sounds like functionality to me.

Build also does a lot more than that.

[thaJeztah]

Is someone able to carry this?

[shouze]

@dnephin @tonistiigi @thaJeztah @vdemeester sorry guys I was on holiday past 3 weeks, Yes this PR should be closed anyway, as I wasn't able to push a decent test, this was not trivial to test against buildkit the way runBuild was done.

[koreno]

What's the latest on this issue - is there a workaround/solution to cache busting due to ownership change?
I'm currently on docker 19.3