Dockerfile.jvm build fails with kaniko: user: unknown user 1001

[weltonrodrigo]

Describe the bug

This is a known bug in kaniko GoogleContainerTools/kaniko#1456, where commands like

COPY --chown=1001 target/quarkus-app/lib/ /deployments/lib/

fail with:

error building image: error building stage: failed to execute command: getting user group from chown: user: unknown user 1001

It would be nice, as the kaniko bug is >1 year old, that quarkus could provided a (probably harmless) workaround on it's Dockerfiles:

RUN microdnf install shadow-utils
RUN adduser -u 1001 appuser

COPY --chown=1001 target/quarkus-app/lib/ /deployments/lib/

This bug makes quarkus impossible to build on gitlab CICD, as a kaniko build is the recommended way to build a docker image there.

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[geoand]

Seems reasonable. @maxandersen WDYT?

[maxandersen]

Hmmm - doesn't this end up conflicting with kuberneteS/openshift owner ids?

[geoand]

According to the proposal, we wouldn't change the user ids, we'd just run RUN adduser -u 1001 appuser to make sure the user exists.

[maxandersen]

As long as we can verify It still works in openshift It's fine.

I.e. take particular notice of https://docs.openshift.com/container-platform/4.2/openshift_images/create-images.html section of "support arbitrary user ids"

[geoand]

As long as we can verify It still works in openshift It's fine.

Summoning @rsvoboda for this :)

[ejba]

giving my two cents if I can :)

IMHO, there's a concern here that it's adding a new layer to the image with more libraries that another set of users probably don't need. May I suggest creating some cli option to give developers the option to choose to create the user?

[geoand]

If we are concerned about the extra layer, then I would not go so far as to add a new flag to the Dockerfile. We could just keep the commands in the Dockerfile but commented out with an explanation of when it might make sense to use them.

[ejba]

We could just keep the commands in the Dockerfile but commented out with an explanation of when it might make sense to use them.

After that, adding some documentation on website telling gitlab users to uncomment those lines.

[geoand]

Makes sense

[rsvoboda]

Hi @gastaldi / @iocanel, could you check the suggested approach in the engineering OCP env before we will put our hands on it, please? Right now, we are busy with other priority tasks.

[rsvoboda]

Would be handy to have kubernetes/openshift checks (#17674) in place.

[Sgitario]

@geoand @weltonrodrigo I think this issue is gone thanks to the changes in c24179a. The new template is no longer using the user 1001 (I could reproduce this issue and after updating the Dockerfile, it works fine in OpenShift).

[geoand]

Thanks for investigating @Sgitario!

Let's close this in light of the information you mention above.