Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't download an OCI package twice if package contains symbolic links #1593

Open
1 task
flavioschuindt opened this issue Dec 18, 2024 · 10 comments
Open
1 task

Can't download an OCI package twice if package contains symbolic links #1593

flavioschuindt opened this issue Dec 18, 2024 · 10 comments
Labels
bug Something isn't working

Comments

@flavioschuindt
Copy link

flavioschuindt commented Dec 18, 2024
edited
Loading

What happened in your environment?

  1. Created a package containing a symbolic link:
image

  1. Pushed it to my OCI complaint registry: oras push <MY_REPO>:<MY_TAG> ./src/:<MY_MEDIA_TYPE> where MY_REPO and MY_MEDIA_TYPE are redacted.

  2. Pulled it one time and worked fine: oras pull <MY_REPO>:<MY_TAG>

image
  1. Without cleaning anything in the output folder, I tried the same command from (3) again, and then it failed:
Downloading 8b9900e74425 src
Error: failed to extract tar to <MY_OUTPUT_FOLDER>/src: symlink FILE1.md  <MY_OUTPUT_FOLDER>/src:FILE2.md: file exists

Correct me If I am wrong, but I believe what happens here is that internally oras is using tar to extract the compressed layers, but tar is refusing to overwrite a symbolic link.

What did you expect to happen?

The second attempt should be successful and overwrites the files in the target output folder.

How can we reproduce it?

Create an OCI package containing symbolic links and try the steps mentioned above.

What is the version of your ORAS CLI?

Version: 1.1.0+Homebrew
Go version: go1.21.0

What is your OS environment?

Mac OS Sonoma 14.4.1

Are you willing to submit PRs to fix it?

  • Yes, I am willing to fix it.
@flavioschuindt flavioschuindt added bug Something isn't working triage New issues or PRs to be acknowledged by maintainers labels Dec 18, 2024
@ArghyaChakraborty
Copy link

I faced the exact same issue. Hopefully someone has some idea about how to avoid this ...

@alishah404
Copy link

+1
getting the same error, we have node modules in the OCI dir and node modules its failing with same error

Error: failed to extract tar to /tmp/oras-test/pkg: symlink ../acorn/bin/acorn /tmp/oras-test/pkg/node_modules/.bin/acorn: file exists

@Wwwsylvia Wwwsylvia mentioned this issue Jan 3, 2025
Open
@Wwwsylvia
Copy link
Member

Hi @flavioschuindt @ArghyaChakraborty @alishah404 , thank you for reporting this bug! We have opened an issue on the oras-go library side and will fix it there: oras-project/oras-go#865

@flavioschuindt
Copy link
Author

Thanks a lot, @Wwwsylvia. Help me understand one thing though: I see that in the oras-go the issue was labeled with the milestone v2.6.0. What is the usual release cadence, i.e., when should we expect v2.6.0 to be released? I am asking because we need to make an internal decision in our project, i.e., depending on the scheduled time we might need to implement an internal workaround, otherwise, we can wait and use the version with the fix which would be our preferred approach.

@Wwwsylvia
Copy link
Member

@flavioschuindt Do you depend on oras-go or ORAS CLI? I suppose it's CLI?

For oras-go, we release new versions on-demand. Currently we don't have a clear target date for v2.6.0 yet. But the hope is to get the items in the milestone done and release the new version ASAP.
For CLI, the next milestone is v1.3.0-beta.2, which is supposed to be released by March. Once the bug is fixed on the oras-go side, CLI can uses the main branch without waiting for oras-go to release a tagged version.

@FeynmanZhou
Copy link
Member

FeynmanZhou commented Jan 7, 2025
edited
Loading

Maybe we could consider a patch release oras-go v2.5.1 to fix the symbolic link issue oras-project/oras-go#865 since it impacts a lot of users. Let's discuss the oras-go milestone in the community meeting this Tuesday 4pm pacific time.

@flavioschuindt @alishah404 @ArghyaChakraborty You are welcome to join the ORAS community meeting as well.

@FeynmanZhou
Copy link
Member

FeynmanZhou commented Jan 7, 2025
edited
Loading

@Wwwsylvia In addition to oras-project/oras-go#865, is there any addition work to fix the symbolic link issue in ORAS CLI?

@Wwwsylvia
Copy link
Member

@FeynmanZhou No, once the fix is merged into oras-go, CLI just needs to upgrade the go dependency.

@flavioschuindt
Copy link
Author

@flavioschuindt Do you depend on oras-go or ORAS CLI? I suppose it's CLI?

For oras-go, we release new versions on-demand. Currently we don't have a clear target date for v2.6.0 yet. But the hope is to get the items in the milestone done and release the new version ASAP.
For CLI, the next milestone is v1.3.0-beta.2, which is supposed to be released by March. Once the bug is fixed on the oras-go side, CLI can uses the main branch without waiting for oras-go to release a tagged version.

My dependency is the oras CLI.

Thanks @FeynmanZhou for the patch suggestion. This is impacting not me, but other users as well, so implementing and releasing a patch as soon as possible seems to be a reasonable approach. How can I join the community meeting? The link you shared I only see agenda notes, is there a video call link or something that I can join?

@FeynmanZhou
Copy link
Member

Hi @flavioschuindt , you can find the meeting schedule on https://hackmd.io/P-O6n222TcSMoJgHmTTduw?view#Zoom-Call-Info. We meet on Zoom. Feel free to join the meeting and connect with the community maintainers.

@FeynmanZhou FeynmanZhou removed the triage New issues or PRs to be acknowledged by maintainers label Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@flavioschuindt @ArghyaChakraborty @Wwwsylvia @FeynmanZhou @alishah404