Skip to content

Commit

Permalink
Merge pull request containers#4181 from nalind/scrub-usernames
Browse files Browse the repository at this point in the history 
Scrub user and group names from layer diffs
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot authored Aug 11, 2022
2 parents 5c081c0 + da4647b commit 18cd2d5
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 0 deletions.
10 changes: 10 additions & 0 deletions image.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -430,6 +430,16 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System
return nil, fmt.Errorf("error compressing %s: %w", what, err)
}
writer := io.MultiWriter(writeCloser, srcHasher.Hash())
// Scrub any local user names that might correspond to UIDs or GIDs of
// files in this layer.
{
nestedWriteCloser := ioutils.NewWriteCloserWrapper(writer, writeCloser.Close)
writeCloser = newTarFilterer(nestedWriteCloser, func(hdr *tar.Header) (bool, bool, io.Reader) {
hdr.Uname, hdr.Gname = "", ""
return false, false, nil
})
writer = io.Writer(writeCloser)
}
// Use specified timestamps in the layer, if we're doing that for
// history entries.
if i.created != nil {
Expand Down
21 changes: 21 additions & 0 deletions tests/commit.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -305,3 +305,24 @@ load helpers
run_buildah commit --authfile ${TEST_SCRATCH_DIR}/test.auth $WITH_POLICY_JSON --tls-verify=false $cid docker://localhost:${REGISTRY_PORT}/buildah/my-busybox
expect_output --substring "Writing manifest to image destination"
}

@test "commit-without-names" {
_prefetch busybox
run_buildah from --quiet --pull=false $WITH_POLICY_JSON busybox
cid=$output
run_buildah run $cid touch /testfile
run_buildah run $cid chown $(id -u):$(id -g) /testfile
run_buildah commit $cid dir:${TEST_SCRATCH_DIR}/new-image
config=$(jq -r .config.digest ${TEST_SCRATCH_DIR}/new-image/manifest.json)
echo "config blob is $config"
diffid=$(jq -r '.rootfs.diff_ids[-1]' ${TEST_SCRATCH_DIR}/new-image/${config##*:})
echo "new layer is $diffid"
run_buildah copy $cid ${TEST_SCRATCH_DIR}/new-image/${diffid##*:} /testdiff.tar
# use in-container version of tar to avoid worrying about differences in
# output formats between tar implementations
run_buildah run $cid tar tvf /testdiff.tar testfile
echo "new file looks like [$output]"
# ownership information should be forced to be in number/number format
# instead of name/name because the names are gone
assert "$output" =~ $(id -u)/$(id -g)
}

0 comments on commit 18cd2d5

Please sign in to comment.