1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

forbid chained onbuild, from & maintainer triggers

This changes the way onbuild works:
- forbids the chaining of onbuild instructions
- forbids the use of `onbuild from`
- forbids the use of `onbuild maintainer`

It also makes docker throw errors when encountering such triggers when
executing the triggers during `FROM`.

Three tests have been added:
- ensure that chained onbuild (`onbuild onbuild`) is forbidden
- ensure that `onbuild from` is forbidden
- ensure that `onbuild maintainer` is forbidden

Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
This commit is contained in:
unclejack 2014-02-20 17:16:45 +02:00
parent d45538f243
commit b829e96cde
3 changed files with 60 additions and 0 deletions

View file

@ -117,6 +117,14 @@ func (b *buildFile) CmdFrom(name string) error {
fmt.Fprintf(b.errStream, "# Executing %d build triggers\n", nTriggers) fmt.Fprintf(b.errStream, "# Executing %d build triggers\n", nTriggers)
} }
for n, step := range b.config.OnBuild { for n, step := range b.config.OnBuild {
splitStep := strings.Split(step, " ")
stepInstruction := strings.ToUpper(strings.Trim(splitStep[0], " "))
switch stepInstruction {
case "ONBUILD":
return fmt.Errorf("Source image contains forbidden chained `ONBUILD ONBUILD` trigger: %s", step)
case "MAINTAINER", "FROM":
return fmt.Errorf("Source image contains forbidden %s trigger: %s", stepInstruction, step)
}
if err := b.BuildStep(fmt.Sprintf("onbuild-%d", n), step); err != nil { if err := b.BuildStep(fmt.Sprintf("onbuild-%d", n), step); err != nil {
return err return err
} }
@ -128,6 +136,14 @@ func (b *buildFile) CmdFrom(name string) error {
// The ONBUILD command declares a build instruction to be executed in any future build // The ONBUILD command declares a build instruction to be executed in any future build
// using the current image as a base. // using the current image as a base.
func (b *buildFile) CmdOnbuild(trigger string) error { func (b *buildFile) CmdOnbuild(trigger string) error {
splitTrigger := strings.Split(trigger, " ")
triggerInstruction := strings.ToUpper(strings.Trim(splitTrigger[0], " "))
switch triggerInstruction {
case "ONBUILD":
return fmt.Errorf("Chaining ONBUILD via `ONBUILD ONBUILD` isn't allowed")
case "MAINTAINER", "FROM":
return fmt.Errorf("%s isn't allowed as an ONBUILD trigger", triggerInstruction)
}
b.config.OnBuild = append(b.config.OnBuild, trigger) b.config.OnBuild = append(b.config.OnBuild, trigger)
return b.commit("", b.config.Cmd, fmt.Sprintf("ONBUILD %s", trigger)) return b.commit("", b.config.Cmd, fmt.Sprintf("ONBUILD %s", trigger))
} }

View file

@ -466,6 +466,8 @@ For example you might add something like this:
ONBUILD RUN /usr/local/bin/python-build --dir /app/src ONBUILD RUN /usr/local/bin/python-build --dir /app/src
[...] [...]
.. warning:: Chaining ONBUILD instructions using `ONBUILD ONBUILD` isn't allowed.
.. warning:: ONBUILD may not trigger FROM or MAINTAINER instructions.
.. _dockerfile_examples: .. _dockerfile_examples:

View file

@ -924,3 +924,45 @@ func TestBuildOnBuildTrigger(t *testing.T) {
} }
// FIXME: test that the 'foobar' file was created in the final build. // FIXME: test that the 'foobar' file was created in the final build.
} }
func TestBuildOnBuildForbiddenChainedTrigger(t *testing.T) {
_, err := buildImage(testContextTemplate{`
from {IMAGE}
onbuild onbuild run echo test
`,
nil, nil,
},
t, nil, true,
)
if err == nil {
t.Fatal("Error should not be nil")
}
}
func TestBuildOnBuildForbiddenFromTrigger(t *testing.T) {
_, err := buildImage(testContextTemplate{`
from {IMAGE}
onbuild from {IMAGE}
`,
nil, nil,
},
t, nil, true,
)
if err == nil {
t.Fatal("Error should not be nil")
}
}
func TestBuildOnBuildForbiddenMaintainerTrigger(t *testing.T) {
_, err := buildImage(testContextTemplate{`
from {IMAGE}
onbuild maintainer test
`,
nil, nil,
},
t, nil, true,
)
if err == nil {
t.Fatal("Error should not be nil")
}
}