package main import ( "os" "testing" "gotest.tools/v3/assert" ) // Try all of the test cases from the archive package which implements the // internals of `docker cp` and ensure that the behavior matches when actually // copying to and from containers. // Basic assumptions about SRC and DST: // 1. SRC must exist. // 2. If SRC ends with a trailing separator, it must be a directory. // 3. DST parent directory must exist. // 4. If DST exists as a file, it must not end with a trailing separator. // Check that copying from a local path to a symlink in a container copies to // the symlink target and does not overwrite the container symlink itself. func (s *DockerCLICpSuite) TestCpToSymlinkDestination(c *testing.T) { // stat /tmp/test-cp-to-symlink-destination-262430901/vol3 gets permission denied for the user testRequires(c, NotUserNamespace) testRequires(c, DaemonIsLinux) testRequires(c, testEnv.IsLocalDaemon) // Requires local volume mount bind. testVol := getTestDir(c, "test-cp-to-symlink-destination-") defer os.RemoveAll(testVol) makeTestContentInDir(c, testVol) containerID := makeTestContainer(c, testContainerOptions{ volumes: defaultVolumes(testVol), // Our bind mount is at /vol2 }) // First, copy a local file to a symlink to a file in the container. This // should overwrite the symlink target contents with the source contents. srcPath := cpPath(testVol, "file2") dstPath := containerCpPath(containerID, "/vol2/symlinkToFile1") assert.NilError(c, runDockerCp(c, srcPath, dstPath)) assert.NilError(c, symlinkTargetEquals(c, cpPath(testVol, "symlinkToFile1"), "file1"), "The symlink should not have been modified") assert.NilError(c, fileContentEquals(c, cpPath(testVol, "file1"), "file2\n"), `The file should have the contents of "file2" now`) // Next, copy a local file to a symlink to a directory in the container. // This should copy the file into the symlink target directory. dstPath = containerCpPath(containerID, "/vol2/symlinkToDir1") assert.NilError(c, runDockerCp(c, srcPath, dstPath)) assert.NilError(c, symlinkTargetEquals(c, cpPath(testVol, "symlinkToDir1"), "dir1"), "The symlink should not have been modified") assert.NilError(c, fileContentEquals(c, cpPath(testVol, "file2"), "file2\n"), `The file should have the contents of "file2"" now`) // Next, copy a file to a symlink to a file that does not exist (a broken // symlink) in the container. This should create the target file with the // contents of the source file. dstPath = containerCpPath(containerID, "/vol2/brokenSymlinkToFileX") assert.NilError(c, runDockerCp(c, srcPath, dstPath)) assert.NilError(c, symlinkTargetEquals(c, cpPath(testVol, "brokenSymlinkToFileX"), "fileX"), "The symlink should not have been modified") assert.NilError(c, fileContentEquals(c, cpPath(testVol, "fileX"), "file2\n"), `The file should have the contents of "file2"" now`) // Next, copy a local directory to a symlink to a directory in the // container. This should copy the directory into the symlink target // directory and not modify the symlink. srcPath = cpPath(testVol, "/dir2") dstPath = containerCpPath(containerID, "/vol2/symlinkToDir1") assert.NilError(c, runDockerCp(c, srcPath, dstPath)) assert.NilError(c, symlinkTargetEquals(c, cpPath(testVol, "symlinkToDir1"), "dir1"), "The symlink should not have been modified") assert.NilError(c, fileContentEquals(c, cpPath(testVol, "dir1/dir2/file2-1"), "file2-1\n"), `The directory should now contain a copy of "dir2"`) // Next, copy a local directory to a symlink to a local directory that does // not exist (a broken symlink) in the container. This should create the // target as a directory with the contents of the source directory. It // should not modify the symlink. dstPath = containerCpPath(containerID, "/vol2/brokenSymlinkToDirX") assert.NilError(c, runDockerCp(c, srcPath, dstPath)) assert.NilError(c, symlinkTargetEquals(c, cpPath(testVol, "brokenSymlinkToDirX"), "dirX"), "The symlink should not have been modified") assert.NilError(c, fileContentEquals(c, cpPath(testVol, "dirX/file2-1"), "file2-1\n"), `The "dirX" directory should now be a copy of "dir2"`) } // Possibilities are reduced to the remaining 10 cases: // // case | srcIsDir | onlyDirContents | dstExists | dstIsDir | dstTrSep | action // =================================================================================================== // A | no | - | no | - | no | create file // B | no | - | no | - | yes | error // C | no | - | yes | no | - | overwrite file // D | no | - | yes | yes | - | create file in dst dir // E | yes | no | no | - | - | create dir, copy contents // F | yes | no | yes | no | - | error // G | yes | no | yes | yes | - | copy dir and contents // H | yes | yes | no | - | - | create dir, copy contents // I | yes | yes | yes | no | - | error // J | yes | yes | yes | yes | - | copy dir contents // // A. SRC specifies a file and DST (no trailing path separator) doesn't exist. // // This should create a file with the name DST and copy the contents of the // source file into it. func (s *DockerCLICpSuite) TestCpToCaseA(c *testing.T) { containerID := makeTestContainer(c, testContainerOptions{ workDir: "/root", command: makeCatFileCommand("itWorks.txt"), }) tmpDir := getTestDir(c, "test-cp-to-case-a") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) srcPath := cpPath(tmpDir, "file1") dstPath := containerCpPath(containerID, "/root/itWorks.txt") assert.NilError(c, runDockerCp(c, srcPath, dstPath)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1\n")) } // B. SRC specifies a file and DST (with trailing path separator) doesn't exist. // // This should cause an error because the copy operation cannot create a // directory when copying a single file. func (s *DockerCLICpSuite) TestCpToCaseB(c *testing.T) { containerID := makeTestContainer(c, testContainerOptions{ command: makeCatFileCommand("testDir/file1"), }) tmpDir := getTestDir(c, "test-cp-to-case-b") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) srcPath := cpPath(tmpDir, "file1") dstDir := containerCpPathTrailingSep(containerID, "testDir") err := runDockerCp(c, srcPath, dstDir) assert.ErrorContains(c, err, "") assert.Assert(c, isCpDirNotExist(err), "expected DirNotExists error, but got %T: %s", err, err) } // C. SRC specifies a file and DST exists as a file. // // This should overwrite the file at DST with the contents of the source file. func (s *DockerCLICpSuite) TestCpToCaseC(c *testing.T) { testRequires(c, DaemonIsLinux) containerID := makeTestContainer(c, testContainerOptions{ addContent: true, workDir: "/root", command: makeCatFileCommand("file2"), }) tmpDir := getTestDir(c, "test-cp-to-case-c") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) srcPath := cpPath(tmpDir, "file1") dstPath := containerCpPath(containerID, "/root/file2") // Ensure the container's file starts with the original content. assert.NilError(c, containerStartOutputEquals(c, containerID, "file2\n")) assert.NilError(c, runDockerCp(c, srcPath, dstPath)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1\n"), "Should now contain file1's contents") } // D. SRC specifies a file and DST exists as a directory. // // This should place a copy of the source file inside it using the basename from // SRC. Ensure this works whether DST has a trailing path separator or not. func (s *DockerCLICpSuite) TestCpToCaseD(c *testing.T) { testRequires(c, DaemonIsLinux) containerID := makeTestContainer(c, testContainerOptions{ addContent: true, command: makeCatFileCommand("/dir1/file1"), }) tmpDir := getTestDir(c, "test-cp-to-case-d") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) srcPath := cpPath(tmpDir, "file1") dstDir := containerCpPath(containerID, "dir1") assert.NilError(c, containerStartOutputEquals(c, containerID, ""), "dstPath should not have existed") assert.NilError(c, runDockerCp(c, srcPath, dstDir)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1\n"), "Should now contain file1's contents") // Now try again but using a trailing path separator for dstDir. // Make new destination container. containerID = makeTestContainer(c, testContainerOptions{ addContent: true, command: makeCatFileCommand("/dir1/file1"), }) dstDir = containerCpPathTrailingSep(containerID, "dir1") assert.NilError(c, containerStartOutputEquals(c, containerID, ""), "dstPath should not have existed") assert.NilError(c, runDockerCp(c, srcPath, dstDir)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1\n"), "Should now contain file1's contents") } // E. SRC specifies a directory and DST does not exist. // // This should create a directory at DST and copy the contents of the SRC // directory into the DST directory. Ensure this works whether DST has a // trailing path separator or not. func (s *DockerCLICpSuite) TestCpToCaseE(c *testing.T) { containerID := makeTestContainer(c, testContainerOptions{ command: makeCatFileCommand("/testDir/file1-1"), }) tmpDir := getTestDir(c, "test-cp-to-case-e") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) srcDir := cpPath(tmpDir, "dir1") dstDir := containerCpPath(containerID, "testDir") assert.NilError(c, runDockerCp(c, srcDir, dstDir)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1-1\n"), "Should now contain file1-1's contents") // Now try again but using a trailing path separator for dstDir. // Make new destination container. containerID = makeTestContainer(c, testContainerOptions{ command: makeCatFileCommand("/testDir/file1-1"), }) dstDir = containerCpPathTrailingSep(containerID, "testDir") assert.NilError(c, runDockerCp(c, srcDir, dstDir)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1-1\n"), "Should now contain file1-1's contents") } // F. SRC specifies a directory and DST exists as a file. // // This should cause an error as it is not possible to overwrite a file with a // directory. func (s *DockerCLICpSuite) TestCpToCaseF(c *testing.T) { testRequires(c, DaemonIsLinux) containerID := makeTestContainer(c, testContainerOptions{ addContent: true, workDir: "/root", }) tmpDir := getTestDir(c, "test-cp-to-case-f") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) srcDir := cpPath(tmpDir, "dir1") dstFile := containerCpPath(containerID, "/root/file1") err := runDockerCp(c, srcDir, dstFile) assert.ErrorContains(c, err, "") assert.Assert(c, isCpCannotCopyDir(err), "expected ErrCannotCopyDir error, but got %T: %s", err, err) } // G. SRC specifies a directory and DST exists as a directory. // // This should copy the SRC directory and all its contents to the DST directory. // Ensure this works whether DST has a trailing path separator or not. func (s *DockerCLICpSuite) TestCpToCaseG(c *testing.T) { testRequires(c, DaemonIsLinux) containerID := makeTestContainer(c, testContainerOptions{ addContent: true, workDir: "/root", command: makeCatFileCommand("dir2/dir1/file1-1"), }) tmpDir := getTestDir(c, "test-cp-to-case-g") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) srcDir := cpPath(tmpDir, "dir1") dstDir := containerCpPath(containerID, "/root/dir2") assert.NilError(c, containerStartOutputEquals(c, containerID, ""), "dstPath should not have existed") assert.NilError(c, runDockerCp(c, srcDir, dstDir)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1-1\n"), "Should now contain file1-1's contents") // Now try again but using a trailing path separator for dstDir. // Make new destination container. containerID = makeTestContainer(c, testContainerOptions{ addContent: true, command: makeCatFileCommand("/dir2/dir1/file1-1"), }) dstDir = containerCpPathTrailingSep(containerID, "/dir2") assert.NilError(c, containerStartOutputEquals(c, containerID, ""), "dstPath should not have existed") assert.NilError(c, runDockerCp(c, srcDir, dstDir)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1-1\n"), "Should now contain file1-1's contents") } // H. SRC specifies a directory's contents only and DST does not exist. // // This should create a directory at DST and copy the contents of the SRC // directory (but not the directory itself) into the DST directory. Ensure // this works whether DST has a trailing path separator or not. func (s *DockerCLICpSuite) TestCpToCaseH(c *testing.T) { containerID := makeTestContainer(c, testContainerOptions{ command: makeCatFileCommand("/testDir/file1-1"), }) tmpDir := getTestDir(c, "test-cp-to-case-h") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) srcDir := cpPathTrailingSep(tmpDir, "dir1") + "." dstDir := containerCpPath(containerID, "testDir") assert.NilError(c, runDockerCp(c, srcDir, dstDir)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1-1\n"), "Should now contain file1-1's contents") // Now try again but using a trailing path separator for dstDir. // Make new destination container. containerID = makeTestContainer(c, testContainerOptions{ command: makeCatFileCommand("/testDir/file1-1"), }) dstDir = containerCpPathTrailingSep(containerID, "testDir") assert.NilError(c, runDockerCp(c, srcDir, dstDir)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1-1\n"), "Should now contain file1-1's contents") } // I. SRC specifies a directory's contents only and DST exists as a file. // // This should cause an error as it is not possible to overwrite a file with a // directory. func (s *DockerCLICpSuite) TestCpToCaseI(c *testing.T) { testRequires(c, DaemonIsLinux) containerID := makeTestContainer(c, testContainerOptions{ addContent: true, workDir: "/root", }) tmpDir := getTestDir(c, "test-cp-to-case-i") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) srcDir := cpPathTrailingSep(tmpDir, "dir1") + "." dstFile := containerCpPath(containerID, "/root/file1") err := runDockerCp(c, srcDir, dstFile) assert.ErrorContains(c, err, "") assert.Assert(c, isCpCannotCopyDir(err), "expected ErrCannotCopyDir error, but got %T: %s", err, err) } // J. SRC specifies a directory's contents only and DST exists as a directory. // // This should copy the contents of the SRC directory (but not the directory // itself) into the DST directory. Ensure this works whether DST has a // trailing path separator or not. func (s *DockerCLICpSuite) TestCpToCaseJ(c *testing.T) { testRequires(c, DaemonIsLinux) containerID := makeTestContainer(c, testContainerOptions{ addContent: true, workDir: "/root", command: makeCatFileCommand("/dir2/file1-1"), }) tmpDir := getTestDir(c, "test-cp-to-case-j") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) srcDir := cpPathTrailingSep(tmpDir, "dir1") + "." dstDir := containerCpPath(containerID, "/dir2") assert.NilError(c, containerStartOutputEquals(c, containerID, ""), "dstPath should not have existed") assert.NilError(c, runDockerCp(c, srcDir, dstDir)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1-1\n"), "Should've contained file1-1's contents") // Now try again but using a trailing path separator for dstDir. // Make new destination container. containerID = makeTestContainer(c, testContainerOptions{ command: makeCatFileCommand("/dir2/file1-1"), }) dstDir = containerCpPathTrailingSep(containerID, "/dir2") assert.NilError(c, containerStartOutputEquals(c, containerID, ""), "dstPath should not have existed") assert.NilError(c, runDockerCp(c, srcDir, dstDir)) assert.NilError(c, containerStartOutputEquals(c, containerID, "file1-1\n"), "Should've contained file1-1's contents") } // The `docker cp` command should also ensure that you cannot // write to a container rootfs that is marked as read-only. func (s *DockerCLICpSuite) TestCpToErrReadOnlyRootfs(c *testing.T) { // --read-only + userns has remount issues testRequires(c, DaemonIsLinux, NotUserNamespace) tmpDir := getTestDir(c, "test-cp-to-err-read-only-rootfs") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) containerID := makeTestContainer(c, testContainerOptions{ readOnly: true, workDir: "/root", command: makeCatFileCommand("shouldNotExist"), }) srcPath := cpPath(tmpDir, "file1") dstPath := containerCpPath(containerID, "/root/shouldNotExist") err := runDockerCp(c, srcPath, dstPath) assert.ErrorContains(c, err, "") assert.Assert(c, isCpCannotCopyReadOnly(err), "expected ErrContainerRootfsReadonly error, but got %T: %s", err, err) assert.NilError(c, containerStartOutputEquals(c, containerID, ""), "dstPath should not have existed") } // The `docker cp` command should also ensure that you // cannot write to a volume that is mounted as read-only. func (s *DockerCLICpSuite) TestCpToErrReadOnlyVolume(c *testing.T) { // --read-only + userns has remount issues testRequires(c, DaemonIsLinux, NotUserNamespace) tmpDir := getTestDir(c, "test-cp-to-err-read-only-volume") defer os.RemoveAll(tmpDir) makeTestContentInDir(c, tmpDir) containerID := makeTestContainer(c, testContainerOptions{ volumes: defaultVolumes(tmpDir), workDir: "/root", command: makeCatFileCommand("/vol_ro/shouldNotExist"), }) srcPath := cpPath(tmpDir, "file1") dstPath := containerCpPath(containerID, "/vol_ro/shouldNotExist") err := runDockerCp(c, srcPath, dstPath) assert.ErrorContains(c, err, "") assert.Assert(c, isCpCannotCopyReadOnly(err), "expected ErrVolumeReadonly error, but got %T: %s", err, err) assert.NilError(c, containerStartOutputEquals(c, containerID, ""), "dstPath should not have existed") }