enforce reserve internal labels. #40394
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tao12345666333
force-pushed
the
reserved-namespace-labels
branch
from
6b7d27c to
56a93ae
Compare
|
@thaJeztah PTAL, thanks! |
thaJeztah
reviewed
Jan 20, 2020
| // Labels are in the form on key=value. | ||
| func ValidateLabel(val string) (string, error) { | ||
| if strings.Count(val, "=") < 1 { | ||
| return "", fmt.Errorf("bad attribute format: %s", val) | ||
| } | ||
|
|
||
| lowered := strings.ToLower(val) | ||
| if strings.HasPrefix(lowered, "com.docker.") || strings.HasPrefix(lowered, "io.docker.") || |
There was a problem hiding this comment.
Is this ValidateLabel only used by the daemon config? Double checking because if this one is also used in the CLI, we can't reject the label here (because the docker cli will set labels with this prefix (e.g. when doing docker stack deploy, the docker cli will set com.docker.xx labels based on the stack that services, networks and so on are part of 🤔 )
There was a problem hiding this comment.
Thanks. I have checked. CLI has its own ValidateLabel function. https://github.com/docker/cli/blob/d443b7409192f29bf82258396f0170dff6cba707/opts/opts.go#L280
There was a problem hiding this comment.
Thinking if we should rename it to ValidateEngineLabel to prevent possible confusion 🤔 (not important, we could do that as a follow-up if we want to)
There was a problem hiding this comment.
yes, I agree.
thaJeztah
requested changes
Feb 11, 2020
| // Labels are in the form on key=value. | ||
| func ValidateLabel(val string) (string, error) { | ||
| if strings.Count(val, "=") < 1 { | ||
| return "", fmt.Errorf("bad attribute format: %s", val) | ||
| } | ||
|
|
||
| lowered := strings.ToLower(val) | ||
| if strings.HasPrefix(lowered, "com.docker.") || strings.HasPrefix(lowered, "io.docker.") || |
There was a problem hiding this comment.
Thinking if we should rename it to ValidateEngineLabel to prevent possible confusion 🤔 (not important, we could do that as a follow-up if we want to)
|
Patch with the changes I suggested: diff --git a/opts/opts.go b/opts/opts.go
index 72ed4b314d..60a093f28c 100644
--- a/opts/opts.go
+++ b/opts/opts.go
@@ -267,7 +267,7 @@ func ValidateLabel(val string) (string, error) {
if strings.HasPrefix(lowered, "com.docker.") || strings.HasPrefix(lowered, "io.docker.") ||
strings.HasPrefix(lowered, "org.dockerproject.") {
return "", fmt.Errorf(
- "label %s not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for Docker's internal use",
+ "label %s is not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for internal use",
val)
}
diff --git a/opts/opts_test.go b/opts/opts_test.go
index 826292c427..3c90a24068 100644
--- a/opts/opts_test.go
+++ b/opts/opts_test.go
@@ -4,6 +4,9 @@ import (
"fmt"
"strings"
"testing"
+
+ "gotest.tools/assert"
+ is "gotest.tools/assert/cmp"
)
func TestValidateIPAddress(t *testing.T) {
@@ -181,10 +184,9 @@ func TestValidateLabel(t *testing.T) {
expectedErr string
}{
{
- name: "lable with bad attribute format",
- label: "label",
- expectedResult: "",
- expectedErr: "bad attribute format: label",
+ name: "lable with bad attribute format",
+ label: "label",
+ expectedErr: "bad attribute format: label",
},
{
name: "label with general format",
@@ -217,64 +219,49 @@ func TestValidateLabel(t *testing.T) {
expectedResult: "org.docker.not=reserved",
},
{
- name: "label with reserved com.docker.*",
- label: "com.docker.feature=enabled",
- expectedResult: "",
- expectedErr: "label com.docker.feature=enabled not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for Docker's internal use",
+ name: "label with reserved com.docker.*",
+ label: "com.docker.feature=enabled",
+ expectedErr: "label com.docker.feature=enabled is not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for internal use",
},
{
- name: "label with reserved upcase com.docker.* ",
- label: "COM.docker.feature=enabled",
- expectedResult: "",
- expectedErr: "label COM.docker.feature=enabled not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for Docker's internal use",
+ name: "label with reserved upcase com.docker.* ",
+ label: "COM.docker.feature=enabled",
+ expectedErr: "label COM.docker.feature=enabled is not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for internal use",
},
{
- name: "label with reserved io.docker.*",
- label: "io.docker.configuration=0",
- expectedResult: "",
- expectedErr: "label io.docker.configuration=0 not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for Docker's internal use",
+ name: "label with reserved io.docker.*",
+ label: "io.docker.configuration=0",
+ expectedErr: "label io.docker.configuration=0 is not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for internal use",
},
{
- name: "label with reserved upcase io.docker.*",
- label: "io.DOCKER.CONFIGURATion=0",
- expectedResult: "",
- expectedErr: "label io.DOCKER.CONFIGURATion=0 not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for Docker's internal use",
+ name: "label with reserved upcase io.docker.*",
+ label: "io.DOCKER.CONFIGURATion=0",
+ expectedErr: "label io.DOCKER.CONFIGURATion=0 is not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for internal use",
},
{
- name: "label with reserved org.dockerproject.*",
- label: "org.dockerproject.setting=on",
- expectedResult: "",
- expectedErr: "label org.dockerproject.setting=on not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for Docker's internal use",
+ name: "label with reserved org.dockerproject.*",
+ label: "org.dockerproject.setting=on",
+ expectedErr: "label org.dockerproject.setting=on is not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for internal use",
},
{
- name: "label with reserved upcase org.dockerproject.*",
- label: "Org.Dockerproject.Setting=on",
- expectedResult: "",
- expectedErr: "label Org.Dockerproject.Setting=on not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for Docker's internal use",
+ name: "label with reserved upcase org.dockerproject.*",
+ label: "Org.Dockerproject.Setting=on",
+ expectedErr: "label Org.Dockerproject.Setting=on is not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for internal use",
},
}
for _, testCase := range testCases {
- testCase = testCase
+ testCase := testCase
t.Run(testCase.name, func(t *testing.T) {
result, err := ValidateLabel(testCase.label)
- if testCase.expectedResult != "" {
- if err != nil {
- t.Fatalf("expected no error, got error [%s]", err)
- }
-
- if result != testCase.expectedResult {
- t.Fatalf("expected [%s], got [%s]", testCase.expectedResult, result)
- }
+ if testCase.expectedErr != "" {
+ assert.Error(t, err, testCase.expectedErr)
} else {
- if err != nil {
- if err.Error() != testCase.expectedErr {
- t.Fatalf("expected error [%s], got error [%s]", testCase.expectedErr, err.Error())
- }
- } else {
- t.Fatalf("expected error '%s', got no error", testCase.expectedErr)
- }
+ assert.NilError(t, err)
+ }
+ if testCase.expectedResult != "" {
+ assert.Check(t, is.Equal(result, testCase.expectedResult))
}
})
Or as a file if that's easier: |
|
After this is merged, we'll have to update the deprecated.md in the CLI repository; I'll prepare a PR for that. |
|
oh! you probably used the "suggested changes" from GitHub; unfortunately those don't work well with our workflow, as they are added as separate commits, and don't have a DCO sign-off 😥 You should be able to apply the patch I provided above instead though from your cli (let me know if you need help on that) Meanwhile, I prepared the draft PR for the docs changes in docker/cli: docker/cli#2326 |
|
Sorry, I didn't know much about this feature of GitHub. I will fix it! |
|
No worries! It's a bit unfortunate that the GitHub feature doesn't work well for us (as it's a nice way to show what changes could be made) Let me know if you need a hand, otherwise I can push to your branch. |
|
Yes, I didn't find how to get "suggested changes" commits in the GitHub documentation. |
tao12345666333
force-pushed
the
reserved-namespace-labels
branch
from
f2b1a2c to
4bf4fb1
Compare
tao12345666333
force-pushed
the
reserved-namespace-labels
branch
from
4bf4fb1 to
f239aaf
Compare
Sorry. I need rebase and fix import path to |
The namespaces com.docker.*, io.docker.*, org.dockerproject.* have been documented to be reserved for Docker's internal use. Co-Authored-By: Sebastiaan van Stijn <thaJeztah@users.noreply.github.com> Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
tao12345666333
force-pushed
the
reserved-namespace-labels
branch
from
f239aaf to
35d6c18
Compare
|
CI Failures look unrelated |
|
CI failed (unrelated |
|
Windows failure is unrelated (see #40506); I'll bring this one in |
|
Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The namespaces com.docker., io.docker., org.dockerproject.*
have been documented to be reserved for Docker's internal use.
Signed-off-by: Jintao Zhang zhangjintao9020@gmail.com
- What I did
- How I did it
- How to verify it
- Description for the changelog
Enforce reserve internal labels.
- A picture of a cute animal (not mandatory but encouraged)