Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

generate systemd: support entrypoint JSON strings #12545

Merged
merged 1 commit into from
Dec 9, 2021

Conversation

vrothberg
Copy link
Member

@vrothberg vrothberg commented Dec 8, 2021

Make sure to preserve the quoting of entrypoint JSON strings.

Fixes: #12477
Signed-off-by: Valentin Rothberg rothberg@redhat.com

@edsantiago
Copy link
Member

Any idea what this flake is about? I've seen it three times this week:

VERSION=1.36.0 GOBIN=/var/tmp/go/bin ./hack/install_golangci.sh
Installing golangci-lint v1.36.0 into ./bin/golangci-lint
golangci/golangci-lint info checking GitHub for tag 'v1.36.0'
golangci/golangci-lint info found version: 1.36.0 for v1.36.0/linux/amd64
make: *** [Makefile:846: .install.golangci-lint] Error 1

Unfortunately it's not one that my flake-logger catches.

@vrothberg
Copy link
Member Author

No idea, probably need to make .install.golangci-lint more verbose?

@edsantiago
Copy link
Member

Error is:

swagger generate spec -o swagger.yaml -i tags.yaml -w ./ -m
/usr/local/bin/swagger: line 1: syntax error near unexpected token `<'
/usr/local/bin/swagger: line 1: `<?xml version="1.0" encoding="utf-8"?><Error><Code>ServerBusy</Code><Message>Egress is over the account limit.'
make[1]: *** [Makefile:15: swagger.yaml] Error 2
make[1]: Leaving directory '/var/tmp/go/src/github.com/containers/podman/pkg/api'
make: *** [Makefile:446: pkg/api/swagger.yaml] Error 2

I don't know what swagger or Egress are, so am not restarting.

@@ -86,6 +86,32 @@ func filterCommonContainerFlags(command []string, argCount int) []string {
return processed
}

func escapeJSONString(s string) string {
if strings.HasPrefix(s, "[") && strings.HasSuffix(s, "]") {
return "'" + s + "'"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my first question here is, what if s includes singlequotes? But I can't figure out how to trigger this code, so I can't write a test case, and I need to move on to other stuff. Anyhow, maybe you could add that to your unit tests? Something like:

... --entrypoint "[\"sh\", \"-c\", \"date '+%s'\"]"

Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't look like the correct fix to me. IMO the problem is that the quotes are not escaped what needs to be done is add " to the match in escapeSystemdArg() -> if strings.ContainsAny(arg, " \t\"") { with that fix it should now correctly escape the qutoes.

@vrothberg
Copy link
Member Author

This doesn't look like the correct fix to me. IMO the problem is that the quotes are not escaped what needs to be done is add " to the match in escapeSystemdArg() -> if strings.ContainsAny(arg, " \t"") { with that fix it should now correctly escape the qutoes.

Did you actually test it or do you guess? It's already escaped but the surrounding single quotes are the crux of the matter as far as I could see and test.

@Luap99
Copy link
Member

Luap99 commented Dec 8, 2021

$ podman create --name test --entrypoint '["top"]' alpine
2d89ca9de2e1d1962c23e89f1065aedc5b760dd2db1b0f74ef0087bc70f5205d
pholzing ~ ✓ $ podman generate systemd --new test 
# container-2d89ca9de2e1d1962c23e89f1065aedc5b760dd2db1b0f74ef0087bc70f5205d.service
# autogenerated by Podman 3.4.2
# Wed Dec  8 15:31:09 CET 2021

[Unit]
Description=Podman container-2d89ca9de2e1d1962c23e89f1065aedc5b760dd2db1b0f74ef0087bc70f5205d.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon -d --replace --name test --entrypoint ["top"] alpine
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all

[Install]
WantedBy=multi-user.target default.target

It not escaped at the moment.

With my proposed change:

...
ExecStart=/home/pholzing/go/src/github.com/containers/podman/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon -d --replace --name test --entrypoint "[\"top\"]" alpine
...
$ git diff
diff --git a/pkg/systemd/generate/common.go b/pkg/systemd/generate/common.go
index 24c85a27e..8689e084c 100644
--- a/pkg/systemd/generate/common.go
+++ b/pkg/systemd/generate/common.go
@@ -101,7 +101,7 @@ func escapeSystemdArguments(command []string) []string {
 func escapeSystemdArg(arg string) string {
        arg = strings.ReplaceAll(arg, "$", "$$")
        arg = strings.ReplaceAll(arg, "%", "%%")
-       if strings.ContainsAny(arg, " \t") {
+       if strings.ContainsAny(arg, " \t\"") {
                arg = strconv.Quote(arg)
        } else if strings.Contains(arg, `\`) {
                // strconv.Quote also escapes backslashes so

@mheon
Copy link
Member

mheon commented Dec 8, 2021

/usr/local/bin/swagger: line 1: `<?xml version="1.0" encoding="utf-8"?><Error><Code>ServerBusy</Code><Message>Egress is over the account limit.'

@cevich PTAL

@vrothberg
Copy link
Member Author

Thanks, @Luap99. I'll take a look.

Make sure to preserve the quoting of entrypoint JSON strings.

Fixes: containers#12477
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
@vrothberg
Copy link
Member Author

@edsantiago @Luap99 PTanotherL

@cevich
Copy link
Member

cevich commented Dec 8, 2021

ServerBusyEgress is over the account limit.

I don't think this is us or our stuff (directly). This is coming from contrib/cirrus/runner.sh line 169 where we download the swagger 'binary'. Though, given the number of PRs we run, it's conceivable we're not helping the situation by downloading the exact same binary every time this task runs 😖

Let me move this download into the VM Image build process, that will help their egress limit as well as reduce the number of ways our CI can flake...

Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cevich
Copy link
Member

cevich commented Dec 8, 2021

...opened containers/automation_images#103 I'll work it through the process into a separate PR here.

@edsantiago
Copy link
Member

Oh, I get it now. My earlier tests were useless because the existing strings.ContainsAny(arg, " \t") was already triggering strconv.Quote().

I'm not convinced that this PR totally fixes everything. Could I suggest:

-       if strings.ContainsAny(arg, " \t\"") {
+       if strings.ContainsAny(arg, " \t\"'[]") {

This will, I think, properly handle:

$ ... --entrypoint "['top']"

But I might be wrong. I don't understand the use cases for this.

@Luap99
Copy link
Member

Luap99 commented Dec 8, 2021

['top'] is not valid json

@edsantiago
Copy link
Member

Then I don't know enough to approve this PR. What I can do is confirm that this PR behaves differently from podman-3.4.2-1.fc35, and in a way that (to my eye) looks improved:

$ bin/podman create --name foo --entrypoint '["top"]' quay.io/libpod/testimage:20210610
838b457d88e3f5d9075ec41eb6fdb92e4f332f6ba3451d513a384608b23b787b
$ bin/podman generate systemd foo --new | grep -i entr
.... --entrypoint "[\"top\"]"     <--- with /usr/bin/podman, yields: --entrypoint ["top"], no escapes

@TomSweeneyRedHat
Copy link
Member

LGTM
but I'd like another set of eyeballs on this before the merge.

Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 9, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 9, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 4a52a45 into containers:main Dec 9, 2021
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
8 participants