Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

COPY does not default UID to 0 #1921

Open
misterikkit opened this issue Feb 4, 2022 · 1 comment · May be fixed by #2494
Open

COPY does not default UID to 0 #1921

misterikkit opened this issue Feb 4, 2022 · 1 comment · May be fixed by #2494
Labels
area/dockerfile-command For all bugs related to dockerfile file commands categorized cmd/copy differs-from-docker kind/bug Something isn't working kind/enhancement New feature or request priority/p0 Highest priority. Break user flow. We are actively looking at delivering it.

Comments

@misterikkit
Copy link

Actual behavior
Running kaniko in my local docker daemon, files copied with COPY still have my UID in the built container. This breaks reproducibility when different users build the same image because the file's UID is included in the layer hash.

Expected behavior
Files copied with COPY and no --chown arg should be defaulted to UID 0 as per the Dockerfile documentation

All new files and directories are created with a UID and GID of 0, unless the optional --chown flag specifies...

To Reproduce

#!/bin/sh

echo "Running as $USER (uid=$(id -u))"

cd $(mktemp -d)

cat >run.sh <<'EOF'
#!/bin/sh
stat $0
EOF

chmod 0755 run.sh

cat >Dockerfile <<EOF
FROM alpine:latest

COPY run.sh /app/

ENTRYPOINT ["/app/run.sh"]
EOF

echo "Building with docker"
docker build -t uid-demo:docker .

echo "Building with kaniko"
docker run --rm -v $(pwd):/workspace gcr.io/kaniko-project/executor:v1.7.0 \
    --destination uid-demo:kaniko \
    --no-push \
    --tarPath image.tar

docker load < image.tar

echo "Running docker version"
docker run --rm -it uid-demo:docker
echo "Running kaniko version"
docker run --rm -it uid-demo:kaniko

Additional Information

  • Dockerfile
    see above
  • Build Context
    see above
  • Kaniko Image (fully qualified with digest)
    gcr.io/kaniko-project/executor:v1.7.0
    "Id": "sha256:4f9b8daa25ddc38e7f91eba9a7b989a555c623450c6f39b91bb51c66f1ec994b",

Workaround
Explicitly add --chown to every COPY/ADD in each Dockerfile.

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile
@F30 F30 mentioned this issue Jun 14, 2022
Open
@F30
Copy link

F30 commented Jun 14, 2022

#2136 is somewhat related to this.

Note that the Dockerfile reference clearly states:

All new files and directories are created with a UID and GID of 0, unless the optional --chown flag specifies a given username, groupname, or UID/GID combination to request specific ownership of the content added.

@F30 F30 mentioned this issue Jun 14, 2022
Open
@KerchumA222 KerchumA222 linked a pull request May 7, 2023 that will close this issue
Draft
4 tasks
KerchumA222 added a commit to KerchumA222/kaniko that referenced this issue May 7, 2023
@KerchumA222
Set default UserId and GroupId to 0
60b2210 
Update to match Dockerfile specifications when using ADD or COPY
Previous functionality was to preserve the user and group from the source, which may not exist in the container.
Fixes GoogleContainerTools#1921
KerchumA222 added a commit to KerchumA222/kaniko that referenced this issue May 7, 2023
@KerchumA222
Set default UserId and GroupId to 0:0
1dad002 
Update to match Dockerfile specifications when using ADD or COPY
Previous functionality was to preserve the user and group from the source, which may not exist in the container.
Fixes GoogleContainerTools#1921
@aaron-prindle aaron-prindle added differs-from-docker priority/p0 Highest priority. Break user flow. We are actively looking at delivering it. area/dockerfile-command For all bugs related to dockerfile file commands kind/enhancement New feature or request kind/bug Something isn't working cmd/copy labels May 30, 2023
@aaron-prindle aaron-prindle mentioned this issue Aug 22, 2023
Open
coryb pushed a commit to coryb/kaniko that referenced this issue Dec 17, 2023
@KerchumA222 @coryb
Set default UserId and GroupId to 0:0
267d528 
Update to match Dockerfile specifications when using ADD or COPY
Previous functionality was to preserve the user and group from the source, which may not exist in the container.
Fixes GoogleContainerTools#1921
kylecarbs pushed a commit to coder/kaniko that referenced this issue Dec 17, 2023
@KerchumA222 @kylecarbs
Set default UserId and GroupId to 0:0
9f83bc8 
Update to match Dockerfile specifications when using ADD or COPY
Previous functionality was to preserve the user and group from the source, which may not exist in the container.
Fixes GoogleContainerTools#1921
KerchumA222 added a commit to KerchumA222/kaniko that referenced this issue Feb 6, 2024
@KerchumA222
Set default UserId and GroupId to 0:0
cbe0455 
Update to match Dockerfile specifications when using ADD or COPY
Previous functionality was to preserve the user and group from the source, which may not exist in the container.
Fixes GoogleContainerTools#1921
KerchumA222 added a commit to KerchumA222/kaniko that referenced this issue Feb 6, 2024
@KerchumA222
Set default UserId and GroupId to 0:0
b43b973 
Update to match Dockerfile specifications when using ADD or COPY
Previous functionality was to preserve the user and group from the source, which may not exist in the container.
Fixes GoogleContainerTools#1921
kylecarbs pushed a commit to coder/kaniko that referenced this issue May 6, 2024
@KerchumA222 @kylecarbs
Set default UserId and GroupId to 0:0
f8d3645 
Update to match Dockerfile specifications when using ADD or COPY
Previous functionality was to preserve the user and group from the source, which may not exist in the container.
Fixes GoogleContainerTools#1921
johnstcn pushed a commit to coder/kaniko that referenced this issue May 15, 2024
@KerchumA222 @johnstcn
Set default UserId and GroupId to 0:0
6431577 
Update to match Dockerfile specifications when using ADD or COPY
Previous functionality was to preserve the user and group from the source, which may not exist in the container.
Fixes GoogleContainerTools#1921
@johnstcn johnstcn mentioned this issue May 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/dockerfile-command For all bugs related to dockerfile file commands categorized cmd/copy differs-from-docker kind/bug Something isn't working kind/enhancement New feature or request priority/p0 Highest priority. Break user flow. We are actively looking at delivering it.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Default User and Group to 0:0 for ADD and COPY KerchumA222/kaniko
3 participants
@misterikkit @aaron-prindle @F30