-
Notifications
You must be signed in to change notification settings - Fork 18.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multi-stage COPY --from should preserve ownership/permissions #37123
Comments
Yes. I don't see any difference and user can always override. |
Note that there are other things that tar is helping with, like preserving set[ug]id, time stamps, hard links, etc. BTW, at some point in the distant past it was common to |
Yes to this change! I'm looking to reduce the size of the Oracle database docker images, and using a multi stage builds saves around 9 GB (!). However, it cannot reliably work: File ownerships in the installation stage are set by an installation program, and the Dockerfile cannot know what they should be. Having "COPY --from" maintain current file attributes would sove this; adding a "--same-owner" or similar will also be a fine solution. |
Related; #37830 |
One terrible implication is that users lose access to their home directory. Proposal seems good. Related: #32816 |
This has been fixed in buildkit. |
@tonistiigi should we make the same change for non-buildkit? (not sure how easy it is to implement in the classic builder?) |
@thaJeztah I'm ok with that. |
This bug concerned both ownership and permissions while #38599 only mentions ownership. Are both ownership and permissions preserved now, or only ownership? |
This relates to:
COPY --from=foo bar.tgz ...
#37112COPY --from=foo bar.tgz ...
Problem statement
The
COPY
(andADD
) Dockerfile instructions by default reset the ownership of files added to0:0
.While this makes sense when copying files from a build-context (users/groups on the host in most situations won't match user/group in the container), in multi-stage builds this situation may be different.
In a multi-stage build, intermediate stages are meant to prepare content/artifacts for the final stage(s) they are copied to. This preparation can include: setting the correct ownership (and permissions) of files.
Because of the current behavior of
COPY
, those permissions are reset, and workarounds, such astar
-ing the files beforeCOPY
-ing, then extracting the tar in the final stage (which preserves permissions and ownership as set on the files before tar-ing) are not ideal.Proposal
I propose to preserve permissions and ownership of files/directories when
COPY
-ing between stages in a multi-stage buildExample
Building this Dockerfile on a current version of Docker:
Produces:
With the proposed changes, the final stage would look like:
Question / to be discussed
COPY --from
accepts both the name/number of a build-stage, as well as an image-reference:COPY --from myimage:latest
)--from
less ambiguous, and only preserve ownership/permissions when copying from other stages (i.e., add--from-stage
and--from-image
options)?The text was updated successfully, but these errors were encountered: