-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
os: add CopyFS #62484
Comments
Why is the |
This seems related to #56172. There's a similar question in these about how to handle broken writes and missing directories. |
Maybe for this and #56172 there could be a "create directories" argument. Maybe it could be a mode and if the mode is non-zero directories are created. For os.CopyFS, the mode could be &'d with the mode of the source directory. Maybe there should also be os.CopyFSFile to just copy one fs.File. |
This proposal has been added to the active column of the proposals project |
In #56172 AFAICT the consensus was that the copy operation should attempt to use FICLONE (or equivalent) whenever possible; this does not currently seem to be captured in this superseding proposal though. |
There are questions about whether to create directories, modes, and so on. If we go down that road, it should be a third-party package (lots of them) so that everyone can use the combination they want. The basic os.CopyFS should be the simple one that's good enough the other 99% of the time. In theory os.CopyFS could detect an os.DirFS source and use its own special-case code to take advantage of FICLONE if that was an important optimization. |
Have all remaining concerns about this proposal been addressed? |
The sample code has |
I think it should use 0777, the same way that os.OpenFile uses 0666. Let the umask set the permissions, same as if we were using the shell's mkdir and 'cat >file'. The only bits being copied out are the execute bits on regular files. |
I think the complete docs for CopyFS are:
|
Should switch m := d.Mode(); {
case m.IsRegular():
...
case m&os.ModeSymlink != 0:
link, err := os.Readlink(path)
if err != nil {
return err
}
if err := os.Symlink(link, targ); err != nil {
return err
}
} If so, we should make sure that it works reasonable well with Windows symbolic links, or at least that the outcome is well understood and consistent. This is related to #63703. |
It's very unclear to me what CopyFS should do with symlinks. Perhaps we should un-accept #49580. :-) |
Symbolic links are so awful. I am going to come back to this after Go 1.22 is frozen. |
Getting back to symlinks, if we don't want to unaccept #49580 (which would be fine with me but I'm not proposing it), then it seems like we should only accept symlinks in CopyFS that stay within the fs. Symlinks pointing outside the FS tree would result in an error from the overall CopyFS operation. So for example you cannot CopyFS and create a symlink to /etc/passwd. Does that seem reasonable? |
That seems reasonable to me. Leaving #49580 as accepted also seems like the pragmatic option - even if it's awkward and adds lots more edge cases, the reality is that users will want symlink support. Either we add support ourselves, or soon enough there will be external packages like |
I think the revised complete docs for CopyFS are:
|
Based on the discussion above, this proposal seems like a likely accept. Adding to package os:
|
Change https://go.dev/cl/564295 mentions this issue: |
I'm reopening this issue to bring up the question of what CopyFS should do if the destination contains a symlink. If I If this is the intended behavior, then I think the documentation should mention that symlinks in the destination are resolved. If this isn't the intended behavior, then we have the problem that the os package does not currently contain a robust, TOCTOU-safe way to open a file while avoiding symlink traversal. (#67002 aims to add one, but won't be available until 1.24 at the earliest.) One option might be to document that the CopyFS destination should not contain symlinks, check for and reject symlinks in a TOCTOU-unsafe fashion in 1.23, and use the more robust APIs from #67002 when they become available. |
Yes, if you unpack dir/etc/evil into dir/etc->/etc then CopyFS should write etc/evil, the same way that any other code would. Analogous to Create, I think it would be fine for the Dir type being discussed over on #67002 to have a CopyFS method that does enforce restrictions, since that's what that type does. |
Change https://go.dev/cl/600775 mentions this issue: |
Also clarify the permissions of created files, and note that CopyFS will not overwrite files. Update a few places in documentation to use 0oXXX for octal consts. For #62484 Change-Id: I208ed2bde250304bc7fac2b93963ba57037e791e Reviewed-on: https://go-review.googlesource.com/c/go/+/600775 Reviewed-by: Ian Lance Taylor <[email protected]> Reviewed-by: Russ Cox <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
Change https://go.dev/cl/600815 mentions this issue: |
…destination Also clarify the permissions of created files, and note that CopyFS will not overwrite files. Update a few places in documentation to use 0oXXX for octal consts. For #62484 Change-Id: I208ed2bde250304bc7fac2b93963ba57037e791e Reviewed-on: https://go-review.googlesource.com/c/go/+/600775 Reviewed-by: Ian Lance Taylor <[email protected]> Reviewed-by: Russ Cox <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> (cherry picked from commit 910e6b5) Reviewed-on: https://go-review.googlesource.com/c/go/+/600815 Reviewed-by: Ian Lance Taylor <[email protected]>
Updated documentation to state that symlinks in the destination are followed. |
PR openshift#1099 broke upstream and OKD builds as it added a dependency on rsync. quay.io/centos/centos:stream9 image does not ship rsync by default. Once we can use the new golang's recursive copy (CopyFS) functionality in go 1.23 (golang/go#62484), use it and remove the dependency on rsync.
PR #1099 broke upstream and OKD builds as it added a dependency on rsync. quay.io/centos/centos:stream9 image does not ship rsync by default. Once we can use the new golang's recursive copy (CopyFS) functionality in go 1.23 (golang/go#62484), use it and remove the dependency on rsync. Co-authored-by: Jiri Mencak <[email protected]>
After discussion on #45757 (comment) and #61386, it would help many different use cases to add os.CopyFS that copies an fsys.FS into the local file system, safely. I propose to add that function.
The signature and implementation are roughly:
with perhaps some extra checks using filepath.IsLocal to guard against bad file names.
The text was updated successfully, but these errors were encountered: