Fix ResolveImageConfig to evaluate source policy by cpuguy83 · Pull Request #3956 · moby/buildkit

cpuguy83 · 2023-06-16T17:24:15Z

Before this change, ResolveImageConfig was unaware of source policies. This means that:

Images for denied sources may be resolved
Image configs may get pulled for sources that are later converted to a different image

The update makes it so the image resolver first runs a given ref through the source policy and uses any mutated ref for the actual resolve (instead of the original ref).
It also returns the mutated ref so it can be used correctly by the frontend (e.g. don't want to do llb.Image(oldRef@resolvedDigest)).

Fixes #3911

tonistiigi · 2023-06-27T04:27:47Z

Looks like panic in CI:

    sandbox.go:286: panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    sandbox.go:286: 	panic: runtime error: invalid memory address or nil pointer dereference
    sandbox.go:286: [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x11f790f]
    sandbox.go:286: 
    sandbox.go:286: goroutine 30 [running]:
    sandbox.go:286: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.func1()
    sandbox.go:286: 	/src/vendor/go.opentelemetry.io/otel/sdk/trace/span.go:383 +0x2a
    sandbox.go:286: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0xc0003e8900, {0x0, 0x0, 0x26afc60?})
    sandbox.go:286: 	/src/vendor/go.opentelemetry.io/otel/sdk/trace/span.go:421 +0xa89
    sandbox.go:286: panic({0x16ce440, 0x2681ed0})
    sandbox.go:286: 	/usr/local/go/src/runtime/panic.go:884 +0x213
    sandbox.go:286: github.com/moby/buildkit/sourcepolicy.(*Engine).evaluatePolicy(0xc0005b93d0?, {0x1b9d9a8, 0xc0003210e0}, 0x0, 0xc000204ba0)
    sandbox.go:286: 	/src/sourcepolicy/engine.go:123 +0x1af

cpuguy83 · 2023-06-30T21:10:13Z

All green here now.

tonistiigi · 2023-07-07T03:34:44Z

 			ResolverType: llb.ResolverTypeRegistry,
 		})
 		if err != nil {
+			var e imageutil.ResolveToNonImageError


I think this needs to be a pointer because it looks like &ResolveToNonImageError{} is returned when this error happens.

Its passed into errors.As as a pointer. We don't ever propagate this error beyond this point, though.

https://go.dev/play/p/BQwN9fEeWHl

I don't quite understand how the current one even builds though. I get a build error if I don't remove pointer from func (e ResolveToNonImageError) Error() string { in that example.

I see the error in the playground but it makes very little sense to me why it would be failing or why the test suite is passing.

Oh it is passing because that's a panic not a compile error.

It still doesn't look correct to me in the latest version. Now it doesn't error but the As() check never matches. It's the case1 vs case2 example in the playground example.

Ideally, we could have a test for this as seems to be quite easy to break this behavior.

tonistiigi · 2023-07-07T17:47:32Z

 			ResolverType: llb.ResolverTypeRegistry,
 		})
 		if err != nil {
+			var e imageutil.ResolveToNonImageError


Before this change, ResolveImageConfig was unaware of source policies. This means that: 1. Images for denied sources may be resolved 2. Image configs may get pulled for sources that are later converted to a different image The update makes it so the image resolver first runs a given ref through the source policy and uses any mutated ref for the actual resolve (instead of the original ref). It also returns the mutated ref so it can be used correctly by the frontend (e.g. don't want to do llb.Image(oldRef@resolvedDigest)). Signed-off-by: Brian Goff <cpuguy83@gmail.com>

cpuguy83 force-pushed the source_policy_resolve_image branch 2 times, most recently from b9f72e4 to 283ccb3 Compare June 16, 2023 17:39

tonistiigi added this to the v0.12.0 milestone Jun 27, 2023

cpuguy83 force-pushed the source_policy_resolve_image branch 10 times, most recently from 4466473 to ca5b0c0 Compare June 30, 2023 20:18

cpuguy83 marked this pull request as ready for review June 30, 2023 21:09

tonistiigi reviewed Jul 7, 2023

View reviewed changes

cpuguy83 force-pushed the source_policy_resolve_image branch from ca5b0c0 to 04b2bf6 Compare July 7, 2023 17:25

tonistiigi reviewed Jul 7, 2023

View reviewed changes

cpuguy83 force-pushed the source_policy_resolve_image branch 2 times, most recently from 1145f69 to a118f4e Compare July 8, 2023 21:45

cpuguy83 force-pushed the source_policy_resolve_image branch from a118f4e to 330cf7a Compare July 10, 2023 17:45

tonistiigi approved these changes Jul 10, 2023

View reviewed changes

tonistiigi merged commit 6b99094 into moby:master Jul 10, 2023

cpuguy83 deleted the source_policy_resolve_image branch July 11, 2023 02:43

thaJeztah mentioned this pull request Aug 29, 2023

[v0.11 backport] Fix ResolveImageConfig to evaluate source policy #4186

Closed

Conversation

cpuguy83 commented Jun 16, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tonistiigi commented Jun 27, 2023

Uh oh!

cpuguy83 commented Jun 30, 2023

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

cpuguy83 commented Jun 16, 2023 •

edited

Loading