fix(build): Validate Dockerfile using buildkit parser#2652
fix(build): Validate Dockerfile using buildkit parser#2652Syedowais312 wants to merge 1 commit intounikraft:stagingfrom
Conversation
Syedowais312
force-pushed
the
fix/dockerfile-validation
branch
from
5bbc88e to
dca4e3f
Compare
|
ping for review. |
There was a problem hiding this comment.
Pull request overview
This PR enhances Dockerfile detection in the builder_dockerfile by replacing naive filename-based validation with proper syntax parsing using the BuildKit Dockerfile parser. The implementation now validates Dockerfiles by parsing their syntax and verifying they contain at least one FROM instruction, making the detection more reliable and independent of naming conventions.
Changes:
- Replaced simple filename check with BuildKit parser-based validation
- Added validation to ensure Dockerfile has valid syntax and at least one FROM instruction
- Added warning when a file looks like a Dockerfile but has invalid syntax
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| valid, err := isValidDockerfile(path) | ||
|
|
||
| if err != nil { | ||
| return false | ||
| } |
There was a problem hiding this comment.
Errors from isValidDockerfile are silently discarded in the isDockerfile function. When an error occurs (e.g., file not found, permission denied), the function returns false without distinguishing between "not a Dockerfile" and "error reading the file". This makes debugging difficult and can hide real IO errors. Consider returning the error to the caller or at least logging it.
craciunoiuc
left a comment
craciunoiuc
left a comment
There was a problem hiding this comment.
Hey copilot found some stuff, at least one comment is valid
Can you go through them and fix the ones that make sense?
Syedowais312
force-pushed
the
fix/dockerfile-validation
branch
from
dca4e3f to
4da64c7
Compare
Yup, I have made the changes |
Syedowais312
force-pushed
the
fix/dockerfile-validation
branch
from
4da64c7 to
0411c28
Compare
The previous Dockerfile detection relied on filename matching which produced false positives and false negatives. This change introduces syntax validation using the BuildKit Dockerfile parser. The file is parsed into an AST and verified to contain at least one valid FROM instruction. This allows detection of valid Dockerfiles regardless of naming while rejecting invalid files even if named Dockerfile. Signed-off-by: syedowais312 <syedowais312sf@gmail.com>
Syedowais312
force-pushed
the
fix/dockerfile-validation
branch
from
0411c28 to
376b2a0
Compare
|
I was wondering if it would be great to add test cases for this validation logic? Should I add them in this PR or create a follow-up? CC: @craciunoiuc |
|
Sure, add the tests in the same PR as a separate commit |
| // In most cases, however, the Dockerfile is usually named `Dockerfile`. | ||
| if !strings.Contains(strings.ToLower(opts.Rootfs), "dockerfile") { | ||
| // Dockerfile validation using buildkit parser | ||
| if !isDockerfile(ctx, opts.Rootfs) { |
There was a problem hiding this comment.
🤔
This makes the kraftfile significantly more difficult to parse + handle. To know how we'd do this, we need to bundle the entire buildkit dockerfile parser?
I hit this when working on unikraft-cloud/x#143. Potentially, instead of having isDockerfile, we should instead keep all the existing heuristics for backwards compat, and introduce a new type field, which allows the user to explicitly define what to do.
There was a problem hiding this comment.
@ijaidev thanks for the detailed feedback.
My intention was mainly to avoid false negatives for valid Dockerfiles with non-standard names, but I agree builder selection probably shouldn’t depend on deep parsing semantics.
Introducing an explicit type while keeping the current heuristics for backwards compatibility sounds cleaner and preserves existing behavior.
I’ve also been thinking about a few alternative approaches and would appreciate your thoughts on them as well. I’m exploring those now and will come back shortly.
There was a problem hiding this comment.
After exploring further, I think the cleanest approach is to introduce an explicit source-type field in the kraftfile rootfs spec, along the lines of what you suggested:
rootfs:
source: ./my-custom-named-file
source-type: dockerfileDoes this direction match what you had in mind, or would you prefer the type to live at a different level (e.g. part of a generic rootfs “kind” instead of dockerfile-specific)?
This PR improves Dockerfile detection in
builder_dockerfile.Previously, detection relied only on filename matching which
could incorrectly accept non-Dockerfiles or reject valid ones.
The implementation now:
This makes Dockerfile handling reliable and removes dependence
on naming conventions.