Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

COPY --chown=1001:0 . . copies directories as root #2035

Open
braykov opened this issue Apr 5, 2022 · 4 comments
Open

COPY --chown=1001:0 . . copies directories as root #2035

braykov opened this issue Apr 5, 2022 · 4 comments
Labels
area/dockerfile-command For all bugs related to dockerfile file commands area/permissions area/uid categorized cmd/copy differs-from-docker feat/copy-chown feat/docker-syntax issue/chown issue/USER kind/bug Something isn't working priority/p1 Basic need feature compatibility with docker build. we should be working on this next. work-around-available works-with-docker

Comments

@braykov
Copy link

braykov commented Apr 5, 2022
edited
Loading

Actual behavior
I want to transfer all files and dirs recursively from current host dir to WORKDIR inside the image
I am using COPY --chown=1001:0 . .

Expected behavior
All files and folders in the image should be owned by user with ID 1001 and group 0.

To Reproduce
Steps to reproduce the behavior:

  1. Create an image from this dockerfile
  2. Start a container and do ls -ls
  3. Observer the files ownership and directories ownership

When built with kaniko 1.8.0, all files belong to user non-root and all directories belong to user root.
When built with Docker 20.0.13, all files belong to user non-root and all directories also belong to user non-root.

Additional Information

  • Dockerfile
FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster
ENV DIR_HOME=/app
RUN useradd -s /bin/bash -u 1001 -g root -m -d $DIR_HOME non-root
WORKDIR $DIR_HOME
COPY --chown=1001:0 . .
  • Build Context: Just some files and folders with sub-folders in the current directory.
  • Kaniko Image (fully qualified with digest): 1.8.1-debug

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile
@scrayos
Copy link

scrayos commented May 13, 2022

I can confirm this behaviour also for copies of sub-folders (not the entire WORKDIR):

COPY --chown=nobody:nobody server_configs merge_server_configs

@danny900714
Copy link

We also encountered this issue, please fix this.

Dockerfile:

FROM dockcenter/velocity:3.1.2-SNAPSHOT-153

COPY --chown=velocity lang /data/lang

COPY --chown=velocity plugins/gate/build/libs/*.jar /data/plugins/

@pigoz
Copy link

pigoz commented Sep 6, 2022
edited
Loading

I've "solved" this by explicitely calling chwon through RUN:

# move over package.json and package-lock.json, and install dependencies
COPY --chown=node:node package*.json ./
# kaniko ignores the --chown from the previous command
RUN chown -R node:node .
RUN npm ci

@aaron-prindle aaron-prindle added differs-from-docker works-with-docker kind/bug Something isn't working area/permissions cmd/copy area/dockerfile-command For all bugs related to dockerfile file commands priority/p1 Basic need feature compatibility with docker build. we should be working on this next. work-around-available labels Jun 12, 2023
@aaron-prindle aaron-prindle mentioned this issue Jun 28, 2023
Open
@JeromeJu JeromeJu mentioned this issue Feb 16, 2024
Open
@JeromeJu
Copy link
Collaborator

JeromeJu commented Feb 16, 2024
edited
Loading

Looks like this cannot be reproduced at HEAD for kaniko v1.20.x where the directories users are also non-root.

jeromeju@jju:~/kaniko/workspace$ ./run_in_docker.sh /dockerfile /usr/local/google/home/jeromeju/kaniko gcr.io/jju-dev/test:latest
INFO[0000] Using dockerignore file: /workspace/.dockerignore 
INFO[0000] Retrieving image manifest mcr.microsoft.com/dotnet/core/sdk:3.1-buster 
INFO[0000] Retrieving image mcr.microsoft.com/dotnet/core/sdk:3.1-buster from registry mcr.microsoft.com 
INFO[0002] Built cross stage deps: map[]                
INFO[0002] Retrieving image manifest mcr.microsoft.com/dotnet/core/sdk:3.1-buster 
INFO[0002] Returning cached image manifest              
INFO[0002] Executing 0 build triggers                   
INFO[0002] Building stage 'mcr.microsoft.com/dotnet/core/sdk:3.1-buster' [idx: '0', base-idx: '-1'] 
INFO[0002] Unpacking rootfs as cmd RUN useradd -s /bin/bash -u 1001 -g root -m -d $DIR_HOME non-root requires it. 
INFO[0016] ENV DIR_HOME=/app                            
INFO[0016] RUN useradd -s /bin/bash -u 1001 -g root -m -d $DIR_HOME non-root 
INFO[0016] Initializing snapshotter ...                 
INFO[0016] Taking snapshot of full filesystem...        
INFO[0020] Cmd: /bin/sh                                 
INFO[0020] Args: [-c useradd -s /bin/bash -u 1001 -g root -m -d $DIR_HOME non-root] 
INFO[0020] Running: [/bin/sh -c useradd -s /bin/bash -u 1001 -g root -m -d $DIR_HOME non-root] 
INFO[0020] Taking snapshot of full filesystem...        
INFO[0021] WORKDIR $DIR_HOME                            
INFO[0021] Cmd: workdir                                 
INFO[0021] Changed working directory to /app            
INFO[0021] No files changed in this command, skipping snapshotting. 
INFO[0021] COPY --chown=1001:0 . .                      
INFO[0024] Taking snapshot of files...                  
INFO[0029] Pushing image to gcr.io/jju-dev/test:latest  
INFO[0033] Pushed gcr.io/jju-dev/test@sha256:e6b98391a5a58fefef33e8174dfe31e1fe0c5d8cb5640c43afb42bc6424b0627 
jeromeju@jju:~/kaniko/workspace$ docker run -i -t gcr.io/jju-dev/test@sha256:e6b98391a5a58fefef33e8174dfe31e1fe0c5d8cb5640c43afb42bc6424b0627
Unable to find image 'gcr.io/jju-dev/test@sha256:e6b98391a5a58fefef33e8174dfe31e1fe0c5d8cb5640c43afb42bc6424b0627' locally
gcr.io/jju-dev/test@sha256:e6b98391a5a58fefef33e8174dfe31e1fe0c5d8cb5640c43afb42bc6424b0627: Pulling from jju-dev/test
c7c50787e2da: Already exists 
aff359114acb: Already exists 
821dc261e045: Already exists 
3790459d63d5: Already exists 
d9f67e74b01d: Already exists 
c28a95092be1: Already exists 
208cfb120a77: Already exists 
ed7a12bdd5e2: Pull complete 
a41359864928: Pull complete 
Digest: sha256:e6b98391a5a58fefef33e8174dfe31e1fe0c5d8cb5640c43afb42bc6424b0627
Status: Downloaded newer image for gcr.io/jju-dev/test@sha256:e6b98391a5a58fefef33e8174dfe31e1fe0c5d8cb5640c43afb42bc6424b0627
root@3d405c752679:/app# ls -ls
total 456
152 -rw-r-----  1 non-root root 151933 Feb 16 17:26 CHANGELOG.md
  4 -rw-r-----  1 non-root root   3045 Feb 16 17:26 CONTRIBUTING.md
  8 -rw-r-----  1 non-root root   7032 Feb 16 17:26 DEVELOPMENT.md
 12 -rw-r-----  1 non-root root  11341 Feb 16 17:26 LICENSE
  4 -rw-r-----  1 non-root root    107 Feb 16 17:26 MAINTAINERS
  4 -rw-r-----  1 non-root root   3945 Feb 16 17:26 Makefile
 56 -rw-r-----  1 non-root root  56204 Feb 16 17:26 README.md
  8 -rw-r-----  1 non-root root   5270 Feb 16 17:26 RELEASE.md
  4 -rw-r-----  1 non-root root    297 Feb 16 17:26 SECURITY.md
  4 -rw-r-----  1 non-root root   2160 Feb 16 17:26 Vagrantfile
  4 drwxr-x---  2 non-root root   4096 Feb 16 17:26 app
  4 -rwxr-x---  1 non-root root    758 Feb 16 17:26 benchmark.sh
  4 drwxr-x---  4 non-root root   4096 Feb 16 17:26 cmd
  8 -rw-r-----  1 non-root root   5146 Feb 16 17:26 code-of-conduct.md
  4 -rw-r-----  1 non-root root    178 Feb 16 17:26 cosign.pub
  4 drwxr-x---  2 non-root root   4096 Feb 16 17:26 deploy
  4 -rw-r-----  1 non-root root    175 Feb 16 17:26 dockerfile
  4 drwxr-x---  4 non-root root   4096 Feb 16 17:26 docs
  4 drwxr-x---  2 non-root root   4096 Feb 16 17:26 examples
  4 drwxr-x---  2 non-root root   4096 Feb 16 17:26 files
 12 -rw-r-----  1 non-root root  10439 Feb 16 17:26 go.mod
 96 -rw-r-----  1 non-root root  97765 Feb 16 17:26 go.sum
  4 drwxr-x---  5 non-root root   4096 Feb 16 17:26 hack
  4 drwxr-x---  9 non-root root   4096 Feb 16 17:26 integration
  0 lrwxrwxrwx  1 root     root     27 Feb 16 17:26 integration-test.sh -> scripts/integration-test.sh
  4 drwxr-x---  2 non-root root   4096 Feb 16 17:26 logo
  4 drwxr-x---  2 non-root root   4096 Feb 16 17:26 out
  4 drwxr-x--- 19 non-root root   4096 Feb 16 17:26 pkg
  4 drwxr-x---  5 non-root root   4096 Feb 16 17:26 quarkus-dummy-project
  4 -rwxr-x---  1 non-root root   1607 Feb 16 17:26 run_in_docker.sh
  4 drwxr-x---  2 non-root root   4096 Feb 16 17:26 scripts
  0 -rw-r-----  1 non-root root      0 Feb 16 17:26 test
  4 drwxr-x---  2 non-root root   4096 Feb 16 17:26 testutil
  4 drwxr-x---  2 non-root root   4096 Feb 16 17:26 tools
  4 drwxr-x--- 12 non-root root   4096 Feb 16 17:27 vendor
  4 drwxr-x---  2 non-root root   4096 Feb 16 17:27 workspace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/dockerfile-command For all bugs related to dockerfile file commands area/permissions area/uid categorized cmd/copy differs-from-docker feat/copy-chown feat/docker-syntax issue/chown issue/USER kind/bug Something isn't working priority/p1 Basic need feature compatibility with docker build. we should be working on this next. work-around-available works-with-docker
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@pigoz @aaron-prindle @scrayos @braykov @danny900714 @JeromeJu