Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multi-stage COPY --from should preserve ownership/permissions #37123

Closed
thaJeztah opened this issue May 22, 2018 · 9 comments · Fixed by #38599
Closed

Multi-stage COPY --from should preserve ownership/permissions #37123

thaJeztah opened this issue May 22, 2018 · 9 comments · Fixed by #38599
Labels
area/builder kind/enhancement Enhancements are not bugs or new features but can improve usability or performance.

Comments

@thaJeztah
Copy link
Member

thaJeztah commented May 22, 2018

This relates to:

Problem statement

The COPY (and ADD) Dockerfile instructions by default reset the ownership of files added to 0:0.

While this makes sense when copying files from a build-context (users/groups on the host in most situations won't match user/group in the container), in multi-stage builds this situation may be different.

In a multi-stage build, intermediate stages are meant to prepare content/artifacts for the final stage(s) they are copied to. This preparation can include: setting the correct ownership (and permissions) of files.

Because of the current behavior of COPY, those permissions are reset, and workarounds, such as tar-ing the files before COPY-ing, then extracting the tar in the final stage (which preserves permissions and ownership as set on the files before tar-ing) are not ideal.

Proposal

I propose to preserve permissions and ownership of files/directories when COPY-ing between stages in a multi-stage build

Example

Building this Dockerfile on a current version of Docker:

FROM busybox AS one
RUN mkdir -p /foo/1-subdir \
 && touch \
  /foo/4-five-six \
  /foo/7-eight-nine \
 && chown -R 123:123 /foo/1-subdir \
 && chown 456:456 /foo/4-five-six \
 && chown 789:789 /foo/7-eight-nine \
 && chmod -R 0600 /foo/1-subdir \
 && chmod 0060 /foo/4-five-six \
 && chmod 0006 /foo/7-eight-nine
RUN echo "In stage one" \
 && ls -l /foo/


FROM busybox AS final
COPY --from=one /foo /bar
RUN echo "In final stage" \
 && ls -l /bar/

Produces:

In stage one
total 4
drw-------    2 123      123           4096 May 22 12:24 1-subdir
----rw----    1 456      456              0 May 22 12:24 4-five-six
-------rw-    1 789      789              0 May 22 12:24 7-eight-nine
In final stage
total 4
drw-------    2 root     root          4096 May 22 12:24 1-subdir
----rw----    1 root     root             0 May 22 12:24 4-five-six
-------rw-    1 root     root             0 May 22 12:24 7-eight-nine

With the proposed changes, the final stage would look like:

In final stage
total 4
drw-------    2 123      123           4096 May 22 12:24 1-subdir
----rw----    1 456      456              0 May 22 12:24 4-five-six
-------rw-    1 789      789              0 May 22 12:24 7-eight-nine

Question / to be discussed

COPY --from accepts both the name/number of a build-stage, as well as an image-reference:

  • Should we preserve ownership/permissions when copying from an image as well? (COPY --from myimage:latest)
  • Should we add new options to make the --from less ambiguous, and only preserve ownership/permissions when copying from other stages (i.e., add --from-stage and --from-image options)?
@thaJeztah thaJeztah added area/builder kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. labels May 22, 2018
@tonistiigi
Copy link
Member

Should we preserve ownership/permissions when copying from an image as well? (COPY --from myimage:latest)

Yes. I don't see any difference and user can always override.

@elibarzilay
Copy link

Note that there are other things that tar is helping with, like preserving set[ug]id, time stamps, hard links, etc.

BTW, at some point in the distant past it was common to tar cf foo | (cd somewhere; tar xf) as a way of doing what is now cp -a. From a definition POV of what is preserved, throwing back to "whatever tar does" might be a little more convenient than keeping your own list.

@elygre
Copy link

elygre commented Jul 24, 2018

Yes to this change! I'm looking to reduce the size of the Oracle database docker images, and using a multi stage builds saves around 9 GB (!). However, it cannot reliably work: File ownerships in the installation stage are set by an installation program, and the Dockerfile cannot know what they should be. Having "COPY --from" maintain current file attributes would sove this; adding a "--same-owner" or similar will also be a fine solution.

@thaJeztah
Copy link
Member Author

Related; #37830

@nedix
Copy link

nedix commented Dec 18, 2018

One terrible implication is that users lose access to their home directory. Proposal seems good. Related: #32816

@tonistiigi
Copy link
Member

This has been fixed in buildkit.

@thaJeztah
Copy link
Member Author

@tonistiigi should we make the same change for non-buildkit? (not sure how easy it is to implement in the classic builder?)

@tonistiigi
Copy link
Member

@thaJeztah I'm ok with that.

@thaJeztah thaJeztah changed the title RFD: Multi-stage COPY --from should preserve ownership/permissions Multi-stage COPY --from should preserve ownership/permissions Jan 21, 2019
@huggla
Copy link

huggla commented Mar 22, 2019

This bug concerned both ownership and permissions while #38599 only mentions ownership. Are both ownership and permissions preserved now, or only ownership?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/builder kind/enhancement Enhancements are not bugs or new features but can improve usability or performance.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants