Merge pull request containerd#81 from kevpar/argsescaped

Fix Windows containers for Docker images relying on ArgsEscaped

Author: kevpar

pkg/server/container_create.go

@@ -25,7 +25,9 @@ import (
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/validate"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"github.com/syndtr/gocapability/capability"
+	"golang.org/x/sys/windows"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 
 	containerstore "github.com/containerd/cri/pkg/store/container"
@@ -39,26 +41,75 @@ func init() {
 
 // setOCIProcessArgs sets process args. It returns error if the final arg list
 // is empty.
-func setOCIProcessArgs(g *generator, config *runtime.ContainerConfig, imageConfig *imagespec.ImageConfig) error {
+func setOCIProcessArgs(g *generator, config *runtime.ContainerConfig, image *imagespec.Image) error {
 	command, args := config.GetCommand(), config.GetArgs()
 	// The following logic is migrated from https://github.com/moby/moby/blob/master/daemon/commit.go
 	// TODO(random-liu): Clearly define the commands overwrite behavior.
 	if len(command) == 0 {
 		// Copy array to avoid data race.
 		if len(args) == 0 {
-			args = append([]string{}, imageConfig.Cmd...)
+			args = append([]string{}, image.Config.Cmd...)
 		}
 		if command == nil {
-			command = append([]string{}, imageConfig.Entrypoint...)
+			command = append([]string{}, image.Config.Entrypoint...)
 		}
 	}
 	if len(command) == 0 && len(args) == 0 {
 		return errors.New("no command specified")
 	}
-	g.SetProcessArgs(append(command, args...))
+	var ignoreArgsEscaped bool
+	if ignoreArgsEscapedAnno, ok := config.Annotations["microsoft.io/ignore-args-escaped"]; ok {
+		ignoreArgsEscaped = ignoreArgsEscapedAnno == "true"
+	}
+	setProcessArgs(g, image.OS == "windows", image.Config.ArgsEscaped && !ignoreArgsEscaped, append(command, args...))
 	return nil
 }
 
+// setProcessArgs sets either g.Config.Process.CommandLine or g.Config.Process.Args.
+// This is forked from g.SetProcessArgs to add argsEscaped support.
+func setProcessArgs(g *generator, isWindows bool, argsEscaped bool, args []string) {
+	logrus.WithFields(logrus.Fields{
+		"isWindows":   isWindows,
+		"argsEscaped": argsEscaped,
+		"args":        args,
+	}).Info("Setting process args on OCI spec")
+	if g.Config == nil {
+		g.Config = &runtimespec.Spec{}
+	}
+	if g.Config.Process == nil {
+		g.Config.Process = &runtimespec.Process{}
+	}
+
+	if isWindows && argsEscaped {
+		// argsEscaped is used for Windows containers to indicate that the command line should be
+		// used from args[0] without escaping. This case seems to mostly result from use of
+		// shell-form ENTRYPOINT or CMD in the Dockerfile. argsEscaped is a non-standard OCI
+		// extension but we are using it here to support Docker images that rely on it. In the
+		// future we should move to some properly standardized support in upstream OCI.
+		// This logic is taken from https://github.com/moby/moby/blob/24f173a003727611aa482a55b812e0e39c67be65/daemon/oci_windows.go#L244
+		//
+		// Note: The approach taken here causes ArgsEscaped to change how commands passed directly
+		// via CRI are interpreted as well. However, this actually matches with Docker's behavior
+		// regarding commands specified at container create time, and seems non-trivial to fix,
+		// so going to leave this way for now.
+		g.Config.Process.CommandLine = args[0]
+		if len(args[1:]) > 0 {
+			g.Config.Process.CommandLine += " " + escapeArgs(args[1:])
+		}
+	} else {
+		g.Config.Process.Args = args
+	}
+}
+
+// escapeArgs makes a Windows-style escaped command line from a set of arguments
+func escapeArgs(args []string) string {
+	escapedArgs := make([]string, len(args))
+	for i, a := range args {
+		escapedArgs[i] = windows.EscapeArg(a)
+	}
+	return strings.Join(escapedArgs, " ")
+}
+
 // addImageEnvs adds environment variables from image config. It returns error if
 // an invalid environment variable is encountered.
 func addImageEnvs(g *generator, imageEnvs []string) error {

pkg/server/container_create_windows.go

@@ -160,7 +160,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
 		sandboxPlatform = "windows/amd64"
 	}
 
-	spec, err := c.generateContainerSpec(id, sandboxID, sandboxPid, sandbox.NetNSPath, config, sandboxConfig, sandboxPlatform, &image.ImageSpec.Config)
+	spec, err := c.generateContainerSpec(id, sandboxID, sandboxPid, sandbox.NetNSPath, config, sandboxConfig, sandboxPlatform, &image.ImageSpec)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to generate container %q spec", id)
 	}
@@ -253,7 +253,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
 }
 
 func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxPid uint32, netnsPath string, config *runtime.ContainerConfig,
-	sandboxConfig *runtime.PodSandboxConfig, sandboxPlatform string, imageConfig *imagespec.ImageConfig) (*runtimespec.Spec, error) {
+	sandboxConfig *runtime.PodSandboxConfig, sandboxPlatform string, image *imagespec.Image) (*runtimespec.Spec, error) {
 	// Creates a spec Generator with the default spec.
 	ctx := ctrdutil.NamespacedContext()
 	spec, err := oci.GenerateSpecWithPlatform(ctx, nil, sandboxPlatform, &containers.Container{ID: id})
@@ -267,14 +267,14 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 	}
 	g := newSpecGenerator(spec)
 
-	if err := setOCIProcessArgs(&g, config, imageConfig); err != nil {
+	if err := setOCIProcessArgs(&g, config, image); err != nil {
 		return nil, err
 	}
 
 	if config.GetWorkingDir() != "" {
 		g.SetProcessCwd(config.GetWorkingDir())
-	} else if imageConfig.WorkingDir != "" {
-		g.SetProcessCwd(imageConfig.WorkingDir)
+	} else if image.Config.WorkingDir != "" {
+		g.SetProcessCwd(image.Config.WorkingDir)
 	}
 
 	g.SetProcessTerminal(config.GetTty())
@@ -287,7 +287,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 
 	// Apply envs from image config first, so that envs from container config
 	// can override them.
-	if err := addImageEnvs(&g, imageConfig.Env); err != nil {
+	if err := addImageEnvs(&g, image.Config.Env); err != nil {
 		return nil, err
 	}
 	for _, e := range config.GetEnvs() {
@@ -486,7 +486,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 		if userstr == "" {
 			// Lastly, since no user override was passed via CRI try to set via
 			// OCI Image
-			userstr = imageConfig.User
+			userstr = image.Config.User
 		}
 		if userstr != "" {
 			g.AddAnnotation("io.microsoft.lcow.userstr", userstr)
@@ -524,7 +524,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 			g.SetWindowsResourcesMemoryLimit(uint64(resources.GetMemoryLimitInBytes()))
 		}
 
-		username := imageConfig.User
+		username := image.Config.User
 		securityContext := config.GetWindows().GetSecurityContext()
 		if securityContext != nil {
 			runAsUser := securityContext.GetRunAsUsername()

vendor.conf

@@ -38,9 +38,9 @@ github.com/Microsoft/hcsshim 936eeeb286fd1197f107acfc4c3c82e4a9afc2c8
 github.com/modern-go/concurrent 1.0.3
 github.com/modern-go/reflect2 1.0.1
 github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7
-github.com/opencontainers/image-spec v1.0.1
+github.com/opencontainers/image-spec deb02d24daef68ac4a88d8f9883ba03b75bdc187 https://github.com/kevpar/image-spec.git # fork
 github.com/opencontainers/runc 12f6a991201fdb8f82579582d5e00e28fba06d0a
-github.com/opencontainers/runtime-spec eba862dc2470385a233c7507392675cbeadf7353
+github.com/opencontainers/runtime-spec v1.0.2
 github.com/opencontainers/runtime-tools 1d69bd0f9c39677d0630e50664fbc3154ae61b88
 github.com/opencontainers/selinux b6fa367ed7f534f9ba25391cc2d467085dbb445a
 github.com/pkg/errors v0.9.1