Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default User and Group to 0:0 for ADD and COPY #2494

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Default User and Group to 0:0 for ADD and COPY #2494

wants to merge 1 commit into from

Conversation

KerchumA222
Copy link

@KerchumA222 KerchumA222 commented May 7, 2023
edited

Default to UID 0 and GID 0 as per the Dockerfile documentation

Fixes #1921

Description
Update to match Dockerfile specifications when using ADD or COPY
Previous functionality was to preserve the user and group from the source, which may not exist in the container.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes unit tests
  • Adds integration tests if needed.

See the contribution guide for more details.

Reviewer Notes

  • The code flow looks good.
  • Unit tests and or integration tests added.

Release Notes

ADD and COPY now default to UID 0 and GID 0 instead of maintaining the source ownership

@google-cla
Copy link

google-cla bot commented May 7, 2023

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@KerchumA222 KerchumA222 force-pushed the main branch 4 times, most recently from 60b2210 to 1dad002 Compare May 7, 2023 23:11
@KerchumA222 KerchumA222 marked this pull request as ready for review May 7, 2023 23:13
@coryb coryb mentioned this pull request Dec 17, 2023
Open
@skype007 skype007 mentioned this pull request Dec 24, 2023
Open
JeromeJu
JeromeJu approved these changes Dec 27, 2023
View reviewed changes
pkg/util/command_util.go Outdated
@@ -352,7 +352,7 @@ Loop:

func GetUserGroup(chownStr string, env []string) (int64, int64, error) {
if chownStr == "" {
return DoNotChangeUID, DoNotChangeGID, nil
return 0, 0, nil
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @KerchumA222 this default change looks good.
For the nit, would you mind also following the previous convention for naming it as DefaultUID?
Thanks!

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JeromeJu I updated the code. Is this what you meant?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @KerchumA222

@JeromeJu JeromeJu mentioned this pull request Dec 27, 2023
Open
@KerchumA222
Set default UserId and GroupId to 0:0
b43b973 
Update to match Dockerfile specifications when using ADD or COPY
Previous functionality was to preserve the user and group from the source, which may not exist in the container.
Fixes GoogleContainerTools#1921
@KerchumA222
Copy link
Author

@JeromeJu this seems to be stalled waiting for approval for workflows. Is that something you can help with?

@JeromeJu
Copy link
Collaborator

JeromeJu commented Feb 7, 2024
edited

@JeromeJu this seems to be stalled waiting for approval for workflows. Is that something you can help with?

Thanks @KerchumA222 for the changes, I have re-runned the integration tests but the error seems to have persisted.

@KerchumA222
Copy link
Author

The issue is that the file ownership can't be changed to root when running as a non-root user. The tests are run as a regular user and therefore fail.
I need to think through this problem a little before proceeding.
Would a virtual filesystem be acceptable (so that we can create and manipulate files owned by user 0 without needing root)?
Do you have any other ideas on how to solve this? I don't want to sacrifice being able to build images without root access (without needing to --chown to a regular user).

@KerchumA222 KerchumA222 marked this pull request as draft February 8, 2024 22:00
@KerchumA222
Copy link
Author

Without running inside a container, I don't know of any other way to make files owned by root that can be interacted with by the RUN command. I thought of using a virtual filesystem to track ownership and properly encode that when building the tar files, but the complexity of that solution is pretty high and leaves some open questions (how to track files created or modified with a RUN command for example).

If the tests are run with sudo, they should pass. How about running the tests with sudo, and adding another basic test suite that runs without sudo to prove root isn't required unless you need root-owned files?

@JeromeJu
Copy link
Collaborator

Thanks to the offline discussion with @aaron-prindle .
The pointer led to the design of Kaniko with UID for historical reasons. From Kaniko's previous design, we do not have user root id access in containers.
So the changes in this PR is going to be a breaking change for <= v1.20 users since all the copy files will be root after this.

@johnstcn johnstcn mentioned this pull request May 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JeromeJu JeromeJu JeromeJu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

COPY does not default UID to 0
2 participants
@KerchumA222 @JeromeJu