Error on image load if prefixed with a variableΒ #1230
Description
Describe the bug
Some of our Dockerfiles start with these or similar lines:
ARG ARCH=""
FROM ${ARCH}php:7.4-apache-buster AS builder
We did this mainly for historical reasons so that our devs with a Mac with an Apple Silicon chip can build images for another architecture. They would then set the ARCH build argument to amd64/. If the build argument is omitted the image will build for the current architecture.
Unfortunately tern does not recognize the build argument correctly and fails on Dockerfiles with this construct. It seems that it tries to prepend the quotes to the image and tag and then fails to find the image.
To Reproduce
- Let a dockerfile start with the lines stated above.
- Run
tern report -d Dockerfile.
Error in terminal
2023-04-13 06:31:09,953 - DEBUG - __main__ - Starting...
2023-04-13 06:31:09,954 - DEBUG - prep - Setting up...
2023-04-13 06:31:09,954 - DEBUG - rootfs - Running command: chmod +x /usr/local/lib/python3.9/site-packages/tern/tools/fs_hash.sh
2023-04-13 06:31:09,960 - DEBUG - run - Parsing Dockerfile...
2023-04-13 06:31:09,966 - DEBUG - run - Building Docker image with Dockerfile: /builds/sonstige/hackathon-desksharing/desksharing/build/app/Dockerfile_1
2023-04-13 06:32:34,293 - WARNING - docker_api - Build failed: COPY failed: file not found in build context or excluded by .dockerignore: stat build/app/php.dev.ini: file does not exist
2023-04-13 06:32:34,294 - WARNING - docker_api - Could not build Docker image
2023-04-13 06:32:34,294 - WARNING - run - Cannot build image
2023-04-13 06:32:34,294 - DEBUG - run - Analyzing base image...
2023-04-13 06:32:34,332 - DEBUG - docker_api - Checking if image """php:7.4-apache-buster" is available on disk...
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/docker/api/client.py", line 268, in _raise_for_status
response.raise_for_status()
File "/usr/local/lib/python3.9/site-packages/requests/models.py", line 1021, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://docker:2376/v1.41/images/%22%22php:7.4-apache-buster/json
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/local/bin/tern", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.9/site-packages/tern/__main__.py", line 311, in main
do_main(args)
File "/usr/local/lib/python3.9/site-packages/tern/__main__.py", line 115, in do_main
drun.execute_dockerfile(args)
File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/dockerfile/run.py", line 211, in execute_dockerfile
image_list = analyze_multistage_dockerfile(dfobj, args)
File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/dockerfile/run.py", line 260, in analyze_multistage_dockerfile
imlist = analyze_single_dockerfile(dfile, options)
File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/dockerfile/run.py", line 191, in analyze_single_dockerfile
image_list = base_and_run_analysis(dockerfile, options)
File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/dockerfile/run.py", line 149, in base_and_run_analysis
base_image = load_base_image()
File "/usr/local/lib/python3.9/site-packages/tern/analyze/default/dockerfile/run.py", line 88, in load_base_image
if docker_api.dump_docker_image(base_image.repotag):
File "/usr/local/lib/python3.9/site-packages/tern/load/docker_api.py", line 209, in dump_docker_image
image = get_docker_image(image_tag, client)
File "/usr/local/lib/python3.9/site-packages/tern/load/docker_api.py", line 179, in get_docker_image
image = check_image(image_tag_string, client)
File "/usr/local/lib/python3.9/site-packages/tern/load/docker_api.py", line 155, in check_image
image_obj = client.images.get(image_tag_string)
File "/usr/local/lib/python3.9/site-packages/docker/models/images.py", line 335, in get
return self.prepare_model(self.client.api.inspect_image(name))
File "/usr/local/lib/python3.9/site-packages/docker/utils/decorators.py", line 19, in wrapped
return f(self, resource_id, *args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/docker/api/image.py", line 251, in inspect_image
return self._result(
File "/usr/local/lib/python3.9/site-packages/docker/api/client.py", line 274, in _result
self._raise_for_status(response)
File "/usr/local/lib/python3.9/site-packages/docker/api/client.py", line 270, in _raise_for_status
raise create_api_error_from_http_exception(e) from e
File "/usr/local/lib/python3.9/site-packages/docker/errors.py", line 39, in create_api_error_from_http_exception
raise cls(e, response=response, explanation=explanation) from e
docker.errors.APIError: 400 Client Error for https://docker:2376/v1.41/images/%22%22php:7.4-apache-buster/json: Bad Request ("no such image: ""php:7.4-apache-buster: invalid reference format")
Expected behavior
I expect that the variable is resolved and therefore the Dockerfile is evaluated correctly. That especially means that the quotes from the default value are not taken literally into the image string.
Environment you are running Tern on
Output of 'tern --version':
Tern version 2.12.0
python version = 3.9.16 (main, Apr 12 2023, 12:09:18)
We run tern in a docker container built from the Dockerfile this project provides here: https://github.com/tern-tools/tern/blob/main/docker/Dockerfile
The docker image is then started with two volumes, one with the dockerfile and one volume shared with a docker-in-docker setup to provide certificates to connect to the docker daemon. These env vars are provided in addition to that:
DOCKER_TLS_CERTDIR: '/certs'
DOCKER_HOST: 'tcp://docker:2376'
DOCKER_TLS_VERIFY: 1
DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
The complete setup runs in our Gitlab CI with the docker-in-docker as a service to the job and the job being the tern container.