ADD/COPY do not strip paths outside of the build context

[cowwoc]

Is this a docs issue?

• My issue is about the documentation content or website

Type of issue

Information is incorrect

Description

@dvdksn It looks like the paragraph you changed at https://github.com/moby/buildkit/pull/5664/files#r1916876722 is wrong.

I just tested against Docker version 27.4.0, build bde2b89 and both ADD and COPY commands return this error if you try referencing paths outside of the build context:

ADD failed: forbidden path outside the build context: ../src/main/resources/scripts/helm-install.sh ()

Frankly, I prefer this behavior. It's a lot less error-prone. Can you please update the documentation accordingly?

Location

https://docs.docker.com/reference/dockerfile/#adding-files-from-the-build-context

Suggestion

No response

[cowwoc]

I stand corrected. The docker engine spits out the aforementioned error, but the docker CLI happily accepts the input files. I am investigating the created image to see what it ended up doing...

[cowwoc]

Okay. It does what you mentioned... If ADD/COPY reference files outside the build context, the CLI will silently drop the leading ../ and process the corrected path.

On the flip side, it is a bit disturbing that the behavior of the CLI and Engine do not line up...

@thaJeztah Do you plan to leave the behavior as-is, or change it?

[thaJeztah]

Was this with buildkit enabled, or the classic builder? https://github.com/moby/moby/blob/b1c00b18bd8ac2603e37321f825034ce4d191522/builder/remotecontext/archive.go#L125

The classic builder had a check for this, but ISTR I had a lengthy discussion with the buildkit maintainers who considered that ../../../../ outside the root was better to be match the behavior on Linux itself, and ignore when trying to get outside the root.

See

• BuildKit uses wrong path when referencing files outside of build context moby/buildkit#2131
• BuildKit should provide clear error if files are referenced outside build context moby/buildkit#2130

[cowwoc]

@thaJeztah I'm using Docker Desktop on Windows with this config:

{
  "builder": {
    "gc": {
      "defaultKeepStorage": "20GB",
      "enabled": true
    }
  },
  "experimental": false
}

so I believe this means I am using the classic builder. I invoked docker build . helm/Dockefile.

[dvdksn]

Are you building Windows containers? Docker in Windows mode still uses the legacy (non-BuildKit) builder. Otherwise, with Linux containers, you would be using BuildKit by default (since Docker Engine v23.0).

[dvdksn]

Good news is that BuildKit is making progress in Windows mode too, so hopefully soon it will be used on all platforms. You can use it already today (experimental) if you run BuildKit as a separate process.

https://docs.docker.com/build/buildkit/#buildkit-on-windows

[cowwoc]

@dvdksn I am building a Linux container, so I guess I am using BuildKit...

Regardless, shouldn't the server and CLI provide the same behavior? I would expect both the client (CLI) and server to know what build mode I am using and provide the same behavior when faced with excessive ../ in the path...

Is that possible to implement?