From 6a13c5ff2fa7e8eee6d53561baaa923fc29508b4 Mon Sep 17 00:00:00 2001 From: Abhishek8108 <87538407+Abhishek8108@users.noreply.github.com> Date: Thu, 9 Apr 2026 18:51:39 +0100 Subject: [PATCH 1/2] fix: resolve dockerfile_template with secure=False during containerize MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit resolve_user_filepath was called with the default secure=True in generate_containerfile, which checks that the resolved path is relative to os.getcwd(). During `bentoml containerize` the build context is a BentoML-managed temp directory (e.g. /tmp/...), not the user's project directory, so the check is a false positive and raises ValueError. Pass secure=False since the path is resolved against a BentoML-controlled directory, not a user-supplied path — the template was already validated and copied into the bento archive during `bentoml build`. Fixes #5566 --- src/bentoml/_internal/container/generate.py | 2 +- .../unit/_internal/container/test_generate.py | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/src/bentoml/_internal/container/generate.py b/src/bentoml/_internal/container/generate.py index 0b0e8b26934..cdfeca20171 100644 --- a/src/bentoml/_internal/container/generate.py +++ b/src/bentoml/_internal/container/generate.py @@ -181,7 +181,7 @@ def generate_containerfile( user_templates = docker.dockerfile_template if user_templates is not None: - dir_path = os.path.dirname(resolve_user_filepath(user_templates, build_ctx)) + dir_path = os.path.dirname(resolve_user_filepath(user_templates, build_ctx, secure=False)) user_templates = os.path.basename(user_templates) TEMPLATES_PATH.append(dir_path) environment = ENVIRONMENT.overlay( diff --git a/tests/unit/_internal/container/test_generate.py b/tests/unit/_internal/container/test_generate.py index e39364671e3..427fb17d40a 100644 --- a/tests/unit/_internal/container/test_generate.py +++ b/tests/unit/_internal/container/test_generate.py @@ -5,6 +5,30 @@ from bentoml._internal.container.generate import generate_containerfile +def test_generate_containerfile_dockerfile_template_outside_cwd(tmp_path) -> None: + # Regression test for https://github.com/bentoml/BentoML/issues/5566. + # During `bentoml containerize` the build context is a BentoML-managed temp + # directory (not under os.getcwd()), so resolve_user_filepath must be called + # with secure=False — otherwise it raises ValueError for any /tmp path. + template_dir = tmp_path / "env" / "docker" + template_dir.mkdir(parents=True) + (template_dir / "Dockerfile.template").write_text( + "{% extends bento_base_template %}\n" + ) + + # Must not raise ValueError even though tmp_path is outside os.getcwd() + generate_containerfile( + DockerOptions( + distro="debian", + python_version="3.11", + dockerfile_template="env/docker/Dockerfile.template", + ), + str(tmp_path), + conda=CondaOptions(), + bento_fs=tmp_path, + ) + + def test_generate_containerfile_quotes_system_packages(tmp_path) -> None: dockerfile = generate_containerfile( DockerOptions( From 325ed55e862a2c6de273c1914290244639c80e7a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 9 Apr 2026 17:52:33 +0000 Subject: [PATCH 2/2] ci: auto fixes from pre-commit.ci For more information, see https://pre-commit.ci --- src/bentoml/_internal/container/generate.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/bentoml/_internal/container/generate.py b/src/bentoml/_internal/container/generate.py index cdfeca20171..feb645b8838 100644 --- a/src/bentoml/_internal/container/generate.py +++ b/src/bentoml/_internal/container/generate.py @@ -181,7 +181,9 @@ def generate_containerfile( user_templates = docker.dockerfile_template if user_templates is not None: - dir_path = os.path.dirname(resolve_user_filepath(user_templates, build_ctx, secure=False)) + dir_path = os.path.dirname( + resolve_user_filepath(user_templates, build_ctx, secure=False) + ) user_templates = os.path.basename(user_templates) TEMPLATES_PATH.append(dir_path) environment = ENVIRONMENT.overlay(