kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard
verified publisher icon GoogleContainerTools

COPY does not default UID to 0

Open misterikkit opened this issue 3 years ago • 2 comments

Actual behavior Running kaniko in my local docker daemon, files copied with COPY still have my UID in the built container. This breaks reproducibility when different users build the same image because the file's UID is included in the layer hash.

Expected behavior Files copied with COPY and no --chown arg should be defaulted to UID 0 as per the Dockerfile documentation

All new files and directories are created with a UID and GID of 0, unless the optional --chown flag specifies...

To Reproduce

#!/bin/sh

echo "Running as $USER (uid=$(id -u))"

cd $(mktemp -d)

cat >run.sh <<'EOF'
#!/bin/sh
stat $0
EOF

chmod 0755 run.sh

cat >Dockerfile <<EOF
FROM alpine:latest

COPY run.sh /app/

ENTRYPOINT ["/app/run.sh"]
EOF

echo "Building with docker"
docker build -t uid-demo:docker .

echo "Building with kaniko"
docker run --rm -v $(pwd):/workspace gcr.io/kaniko-project/executor:v1.7.0 \
    --destination uid-demo:kaniko \
    --no-push \
    --tarPath image.tar

docker load < image.tar

echo "Running docker version"
docker run --rm -it uid-demo:docker
echo "Running kaniko version"
docker run --rm -it uid-demo:kaniko

Additional Information

  • Dockerfile see above
  • Build Context see above
  • Kaniko Image (fully qualified with digest) gcr.io/kaniko-project/executor:v1.7.0 "Id": "sha256:4f9b8daa25ddc38e7f91eba9a7b989a555c623450c6f39b91bb51c66f1ec994b",

Workaround Explicitly add --chown to every COPY/ADD in each Dockerfile.

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
  • - [ ]
Please check if the build works in docker but not in kaniko
  • - [x]
Please check if this error is seen when you use --cache flag
  • - [ ]
Please check if your dockerfile is a multistage dockerfile
  • - [ ]

misterikkit avatar Feb 04 '22 00:02 misterikkit

#2136 is somewhat related to this.

Note that the Dockerfile reference clearly states:

All new files and directories are created with a UID and GID of 0, unless the optional --chown flag specifies a given username, groupname, or UID/GID combination to request specific ownership of the content added.

F30 avatar Jun 14 '22 09:06 F30