Permissions issue with buildx and COPY

[Outrovurt]

On a Linux host, I am trying to copy a file owned by root with permissions 400 and size 5 bytes:

$ ls -l root.only
-r-------- 1 root root 5 May 16 11:29 root.only

My Dockerfile:

FROM alpine
COPY root.only .

Building the image:

docker buildx -t temp .

Running the following command:

$ docker run -it temp ls -l root.only
-r--------    1 root     root             0 May 16 05:59 root.only

A file has been copied, but notice that it is empty (size is 0 bytes).

Going back and re-building using sudo:

sudo docker buildx -t temp .

and running the above command again:

$ docker run -it temp ls -l root.only
-r--------    1 root     root             5 May 16 05:59 root.only

This time the original file has been copied (size is 5 bytes).

For reference, I am trying to copy a TLS certificate into a docker image, and this is generated (by openssl) with the same permissions as root.only above.

My questions:

1. Is this the expected behaviour?
2. There doesn't appear to be any warning or error generated during the build process at any point, so I wasn't able to see this immediately. Is there any way to run the build and have it generate an error in this case?
3. While I can run a build from the command-line using sudo, I can't do this from within docker compose, unless I run the whole command using sudo. I don't believe this is the best way to go about doing this, so I'm wondering, what is the best way? Is it just to use a bind mount, or is there something I can do other than to use sudo to copy root.only so that its permissions are copied over exactly as they are on the host?

Thanks,
Ali

[jedevc]

Buildx runs as an unprivileged user program, so, yes the inability to read a file not readable by the user is expected.

I would expect an error though - to me this seems relatively similar to #1781. In this case, we fail to read the contents of the file, and any error message we would have received is not propagated to the buildkit server as one might expect.

To solve the issue - if the file is intended to be copied into the container, then the user doing the build should have permission to read the file. This doesn't mean that the file in the container has to have the same mode bits - you can use the --chmod flag for COPY to set the required permissions in your Dockerfile.

[Outrovurt]

I would expect an error though - to me this seems relatively similar to #1781. In this case, we fail to read the contents of the file, and any error message we would have received is not propagated to the buildkit server as one might expect.

I would have also expected an error, but it's probably one of those edge cases that arises extremely rarely. I am a little surprised that an empty file is copied in it's place though.

To solve the issue - if the file is intended to be copied into the container, then the user doing the build should have permission to read the file. This doesn't mean that the file in the container has to have the same mode bits - you can use the --chmod flag for COPY to set the required permissions in your Dockerfile.

The problem is that the file is owned by root and the permissions are 600, so the only way to do what you're suggesting is to run as root e.g. via sudo, which is what I'm trying to avoid.

Otherwise I think that just leaves the bind mount option, placing the file within a local directory and mounting that into the container, which seems to work fine. I was really just curious as to why it was behaving the way I have described.

Thanks for your suggestions.