fix: filter non-executable files when symlinking buildkit-cni plugins (#4553)

[smazmi]

Fixes #4553

The nerdctl-full tarball was incorrectly creating symlinks for all files in libexec/cni/, including documentation files like README.md and LICENSE. This resulted in non-executable files appearing in the bin/ directory as buildkit-cni-README.md and buildkit-cni-LICENSE.

Root Cause

The symlink creation loop in the Dockerfile (line 170) processed all files in /out/libexec/cni/* without filtering:

# Before (buggy)
for f in /out/libexec/cni/*; do ln -s ../libexec/cni/$(basename $f) /out/bin/buildkit-cni-$(basename $f); done

The CNI plugins tarball includes both executable binaries and documentation files with no execute permissions.

Solution

Added file type and permission checks to filter out non-executable files:

# After (fixed)
for f in /out/libexec/cni/*; do [ -x "$f" ] && [ -f "$f" ] && ln -s ../libexec/cni/$(basename $f) /out/bin/buildkit-cni-$(basename $f); done

• [ -f "$f" ] - ensures it's a regular file
• [ -x "$f" ] - ensures it has execute permission

Testing

Built and compared the full artifact before and after the fix:

Before:

• 46 files in bin/
• Includes: buildkit-cni-README.md and buildkit-cni-LICENSE

After:

• 44 files in bin/
• Documentation symlinks removed
• All 18 CNI plugin executables still correctly symlinked

Impact

• Removes incorrect symlinks for documentation files
• Preserves all 18 CNI plugin executables (bandwidth through vrf)
• Documentation files remain in libexec/cni/ where they belong
• No other functionality affected

[fahedouch]

Thanks

[smazmi]

Happy to help! :)

[AkihiroSuda]

Thanks