New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ociruntime: reapply tar unpack #8023

Merged

sluongng merged 6 commits into master from sluongng/reapply-go-tar-unpack

Dec 13, 2024

Contributor

sluongng commented Dec 6, 2024

This change include a few small changes inside:

Reapply "ociruntime: replace tar extraction subprocess with in-process (ociruntime: replace tar extraction subprocess with in-process #7589)" (Revert "ociruntime: replace tar extraction subprocess with in-process (#7589)" #8019)
Add a basic image pull test and guard it with a separate, manual Bazel test target to help verifying common images.
Fix issues with the previous implementation.
Ensure that parent directory is created for file tar entries.
Ignore unknown tar entry types (i.e. devices).

sluongng mentioned this pull request

ociruntime: fix blocking on unknown tar header #8017

Closed

sluongng requested review from bduffany and fmeum

December 6, 2024 16:07

sluongng force-pushed the sluongng/reapply-go-tar-unpack branch 2 times, most recently from e8794bf to e8e3285 Compare

December 6, 2024 16:09

sluongng marked this pull request as ready for review

December 6, 2024 16:11

Contributor Author

sluongng commented Dec 6, 2024

--- PASS: TestPullImage (74.35s)
    --- PASS: TestPullImage/dockerhub_busybox (1.09s)
    --- PASS: TestPullImage/ghcr_nix (7.38s)
    --- PASS: TestPullImage/executor_image (17.39s)
    --- PASS: TestPullImage/executor_docker (24.34s)
    --- PASS: TestPullImage/workflow_2004 (14.00s)
    --- PASS: TestPullImage/workflow_2204 (10.16s)
PASS

Also tested some public images that our users used and did not find any issues.

bduffany reviewed

View reviewed changes

enterprise/server/remote_execution/containers/ociruntime/BUILD Outdated

@@ @@ -102,6 +102,72 @@ go_test( @@
                   ],
               )
+              # keep

Member

bduffany Dec 6, 2024

nit: we have a few of these types of targets elsewhere but they are a bit of a hassle to maintain because gazelle doesn't handle them properly. I think it would be fine to use a flag (instead of env var) to guard the test, and then people could run it by passing the flag to the "normal" test target, like bazel test enterprise/server/remote_execution/containers/ociruntime:ociruntime_test --config=remote --test_arg=-test_pull=true (optionally adding --test_filter=TestPullImage to run just that test case)

Contributor Author

sluongng Dec 10, 2024

will fix

bduffany reviewed

View reviewed changes

enterprise/server/remote_execution/containers/ociruntime/ociruntime.go Show resolved Hide resolved

enterprise/server/remote_execution/containers/ociruntime/ociruntime.go Outdated

+              				return status.UnavailableErrorf("create directory: %s", err)
+              			}
+              		case tar.TypeReg:
+              			if err := os.MkdirAll(dir, os.ModePerm); err != nil {

Member

bduffany Dec 6, 2024

do we need to make the parent dir for TypeSymlink and TypeLink as well?

Contributor Author

sluongng Dec 10, 2024

yeah, I can add the create parent dir to all known cases

fmeum reviewed

View reviewed changes

enterprise/server/remote_execution/containers/ociruntime/ociruntime.go Outdated Show resolved Hide resolved

enterprise/server/remote_execution/containers/ociruntime/ociruntime.go Outdated

+              			if err := os.Link(source, target); err != nil {
+              				return status.UnavailableErrorf("create hard link: %s", err)
+              			}
+              			if err := os.Chown(target, header.Uid, header.Gid); err != nil {

Contributor

fmeum Dec 7, 2024

As far as I understand hardlinks, this would change the metadata of the target, which is shared between all hardlinks. Since we ensure that the target is created by this tar and thus could have had a mode set, should we skip it here to prevent flip-flopping? I don't know how tar handles this.

Contributor Author

sluongng Dec 10, 2024

will remove this

enterprise/server/remote_execution/containers/ociruntime/ociruntime.go Outdated Show resolved Hide resolved

sluongng added 3 commits

December 12, 2024 17:18


          Reapply "ociruntime: replace tar extraction subprocess with in-process (

739e3ce

#7589)" (#8019)

This reverts commit f45d620.


          Add a pull test

0a6ec62


          ociruntime: fix error from pulling our ubuntu1604 image

d9b6619

sluongng force-pushed the sluongng/reapply-go-tar-unpack branch from e8e3285 to bfe7051 Compare

December 12, 2024 16:18

sluongng requested review from fmeum and bduffany

December 13, 2024 11:39


          Update based on pr feedbacks

24962b0

sluongng force-pushed the sluongng/reapply-go-tar-unpack branch from bfe7051 to 24962b0 Compare

December 13, 2024 11:58

fmeum approved these changes

View reviewed changes

bduffany approved these changes

View reviewed changes

enterprise/server/remote_execution/containers/ociruntime/ociruntime.go Outdated Show resolved Hide resolved

enterprise/server/remote_execution/containers/ociruntime/ociruntime.go Outdated Show resolved Hide resolved

sluongng added 2 commits

December 13, 2024 19:44


          remove TODO

0dbd55c


          Remove redundant check

33ac4f2

bduffany approved these changes

View reviewed changes

sluongng merged commit f5ce15e into master

12 of 15 checks passed

sluongng deleted the sluongng/reapply-go-tar-unpack branch

December 13, 2024 19:43

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet