search

buildpacks / pack

CLI for building apps using Cloud Native Buildpacks
https://buildpacks.io
Apache License 2.0
2.54k stars 285 forks source link

pack should sanitize tar headers or surface a useful error message when .tgz file contains root directory #1865

Open cmoulliard opened 1 year ago

cmoulliard commented 1 year ago

Summary

I created a builder.toml file including an extension

[[extensions]]
id = "redhat-runtimes/nodejs"
version = "0.0.1"
uri = "https://github.com/paketo-community/ubi-nodejs-extension/archive/main.tar.gz"

but when we try to build it using pack cli (version 0.30.pre) the image

BUILDER_PATH=./builder.toml

cat <<EOF > builder.toml
          description = "Sample builder that uses ubi Node.js extension to support Node.js apps"

          [[buildpacks]]
          uri = "docker://gcr.io/paketo-buildpacks/nodejs:1.4.0"
          version = "1.4.0"

          [lifecycle]
          version = "0.17.0"

          [[order]]
          [[order.group]]
          id = "paketo-buildpacks/nodejs"
          version = "1.4.0"

          [[extensions]]
          id = "redhat-runtimes/nodejs"
          version = "0.0.1"
          uri = "https://github.com/paketo-community/ubi-nodejs-extension/archive/main.tar.gz"
          #uri = "file:///${{ github.workspace }}/ubi-nodejs-extension"

          [[order-extensions]]
          [[order-extensions.group]]
          id = "redhat-runtimes/nodejs"
          version = "0.0.1"

          [stack]
          id = "ubi8-paketo"
          build-image = "quay.io/midawson/ubi8-paketo-build"
          run-image = "quay.io/midawson/ubi8-paketo-run"
EOF

pack builder create $BUILDER_IMAGE --config $BUILDER_PATH

we got such an error

ERROR: failed to add extensions to builder: downloading extension: extracting from 'https://github.com/paketo-community/ubi-nodejs-extension/archive/main.tar.gz': reading extension: reading extension.toml: could not find entry path 'extension.toml': not exist

even if the archive includes an extension.toml file: https://github.com/paketo-community/ubi-nodejs-extension/blob/main/extension.toml and can be downloaded manually

natalieparellano commented 1 year ago

@cmoulliard I did a little digging on this - it looks like the referenced buildpack package (https://github.com/paketo-community/ubi-nodejs-extension/archive/main.tar.gz) includes the root directory in the tar headers, so pack sees it like this:

ubi-nodejs-extension-main/extension.toml

instead of 

extension.toml

Did you use pack buildpack package to create the .tar.gz? I believe that will sanitize the headers for you.

We could probably do better to surface a more useful error message in this case, as the root cause is perfectly non-obvious.

cmoulliard commented 1 year ago

Did you use pack buildpack package to create the .tar.gz?

No. The tar.gz file is created automatically by github if you want to download a repository

cmoulliard commented 1 year ago

We could probably do better to surface a more useful error message in this case

I fully agree :-)

jjbustamante commented 1 year ago

Note: We should research in the distribution spec if the tars header must be structure some way to be consume by the platform. Because it shouldn't matter who create the tar.

tarrow commented 6 months ago

in order to try and reproduce this you'd need to enable the pack experimental config stuff to not get an error like

ERROR: builder config contains image extensions; support for image extensions is currently experimental

you can do this with pack config experimental true. See: https://buildpacks.io/docs/for-platform-operators/how-to/integrate-ci/pack/cli/pack_config_experimental/