mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
forbid chained onbuild, from & maintainer triggers
This changes the way onbuild works: - forbids the chaining of onbuild instructions - forbids the use of `onbuild from` - forbids the use of `onbuild maintainer` It also makes docker throw errors when encountering such triggers when executing the triggers during `FROM`. Three tests have been added: - ensure that chained onbuild (`onbuild onbuild`) is forbidden - ensure that `onbuild from` is forbidden - ensure that `onbuild maintainer` is forbidden Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
This commit is contained in:
parent
d45538f243
commit
b829e96cde
3 changed files with 60 additions and 0 deletions
16
buildfile.go
16
buildfile.go
|
@ -117,6 +117,14 @@ func (b *buildFile) CmdFrom(name string) error {
|
||||||
fmt.Fprintf(b.errStream, "# Executing %d build triggers\n", nTriggers)
|
fmt.Fprintf(b.errStream, "# Executing %d build triggers\n", nTriggers)
|
||||||
}
|
}
|
||||||
for n, step := range b.config.OnBuild {
|
for n, step := range b.config.OnBuild {
|
||||||
|
splitStep := strings.Split(step, " ")
|
||||||
|
stepInstruction := strings.ToUpper(strings.Trim(splitStep[0], " "))
|
||||||
|
switch stepInstruction {
|
||||||
|
case "ONBUILD":
|
||||||
|
return fmt.Errorf("Source image contains forbidden chained `ONBUILD ONBUILD` trigger: %s", step)
|
||||||
|
case "MAINTAINER", "FROM":
|
||||||
|
return fmt.Errorf("Source image contains forbidden %s trigger: %s", stepInstruction, step)
|
||||||
|
}
|
||||||
if err := b.BuildStep(fmt.Sprintf("onbuild-%d", n), step); err != nil {
|
if err := b.BuildStep(fmt.Sprintf("onbuild-%d", n), step); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -128,6 +136,14 @@ func (b *buildFile) CmdFrom(name string) error {
|
||||||
// The ONBUILD command declares a build instruction to be executed in any future build
|
// The ONBUILD command declares a build instruction to be executed in any future build
|
||||||
// using the current image as a base.
|
// using the current image as a base.
|
||||||
func (b *buildFile) CmdOnbuild(trigger string) error {
|
func (b *buildFile) CmdOnbuild(trigger string) error {
|
||||||
|
splitTrigger := strings.Split(trigger, " ")
|
||||||
|
triggerInstruction := strings.ToUpper(strings.Trim(splitTrigger[0], " "))
|
||||||
|
switch triggerInstruction {
|
||||||
|
case "ONBUILD":
|
||||||
|
return fmt.Errorf("Chaining ONBUILD via `ONBUILD ONBUILD` isn't allowed")
|
||||||
|
case "MAINTAINER", "FROM":
|
||||||
|
return fmt.Errorf("%s isn't allowed as an ONBUILD trigger", triggerInstruction)
|
||||||
|
}
|
||||||
b.config.OnBuild = append(b.config.OnBuild, trigger)
|
b.config.OnBuild = append(b.config.OnBuild, trigger)
|
||||||
return b.commit("", b.config.Cmd, fmt.Sprintf("ONBUILD %s", trigger))
|
return b.commit("", b.config.Cmd, fmt.Sprintf("ONBUILD %s", trigger))
|
||||||
}
|
}
|
||||||
|
|
|
@ -466,6 +466,8 @@ For example you might add something like this:
|
||||||
ONBUILD RUN /usr/local/bin/python-build --dir /app/src
|
ONBUILD RUN /usr/local/bin/python-build --dir /app/src
|
||||||
[...]
|
[...]
|
||||||
|
|
||||||
|
.. warning:: Chaining ONBUILD instructions using `ONBUILD ONBUILD` isn't allowed.
|
||||||
|
.. warning:: ONBUILD may not trigger FROM or MAINTAINER instructions.
|
||||||
|
|
||||||
.. _dockerfile_examples:
|
.. _dockerfile_examples:
|
||||||
|
|
||||||
|
|
|
@ -924,3 +924,45 @@ func TestBuildOnBuildTrigger(t *testing.T) {
|
||||||
}
|
}
|
||||||
// FIXME: test that the 'foobar' file was created in the final build.
|
// FIXME: test that the 'foobar' file was created in the final build.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestBuildOnBuildForbiddenChainedTrigger(t *testing.T) {
|
||||||
|
_, err := buildImage(testContextTemplate{`
|
||||||
|
from {IMAGE}
|
||||||
|
onbuild onbuild run echo test
|
||||||
|
`,
|
||||||
|
nil, nil,
|
||||||
|
},
|
||||||
|
t, nil, true,
|
||||||
|
)
|
||||||
|
if err == nil {
|
||||||
|
t.Fatal("Error should not be nil")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestBuildOnBuildForbiddenFromTrigger(t *testing.T) {
|
||||||
|
_, err := buildImage(testContextTemplate{`
|
||||||
|
from {IMAGE}
|
||||||
|
onbuild from {IMAGE}
|
||||||
|
`,
|
||||||
|
nil, nil,
|
||||||
|
},
|
||||||
|
t, nil, true,
|
||||||
|
)
|
||||||
|
if err == nil {
|
||||||
|
t.Fatal("Error should not be nil")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestBuildOnBuildForbiddenMaintainerTrigger(t *testing.T) {
|
||||||
|
_, err := buildImage(testContextTemplate{`
|
||||||
|
from {IMAGE}
|
||||||
|
onbuild maintainer test
|
||||||
|
`,
|
||||||
|
nil, nil,
|
||||||
|
},
|
||||||
|
t, nil, true,
|
||||||
|
)
|
||||||
|
if err == nil {
|
||||||
|
t.Fatal("Error should not be nil")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue