GoogleContainerTools
COPY applies metadata of the source directory to the target
Actual behavior
When COPY-ing the contents of a whole directory, Kaniko will apply metadata of that parent directory to the destination directory. This (at least) includes owner, group, and permissions.
docker build does not touch an existing target directory and the Dockerfile reference clearly states:
The directory itself is not copied, just its contents.
This is somewhat related to #1921, but also affects permissions; not just owner and group.
Expected behavior Kaniko should not apply metadata of the source directory to the target directory. In case that directory doesn't exist, the Dockerfile reference states:
If
<dest>doesn’t exist, it is created along with all missing directories in its path.
In that case, docker build creates the directory with a standard owner (presumably always root) and permissions (presumably influenced by the umask).
To Reproduce
> export TZ=utc
> ls -ln
total 8
drwx------ 2 1000 1000 4096 Jun 14 08:04 some-dir
-rw-r--r-- 1 1000 1000 135 Jun 14 08:55 Dockerfile
> ls -ln some-dir
total 0
-rwx---rwx 1 1000 1000 0 Jun 14 08:02 some-file
> cat Dockerfile
FROM alpine:3.15
RUN chmod 777 /srv
COPY some-dir /srv/
> docker build .
Sending build context to Docker daemon 3.072kB
Step 1/3 : FROM alpine:3.15
---> 0ac33e5f5afa
Step 2/3 : RUN chmod 777 /srv
---> Running in e3fd5d75a064
Removing intermediate container e3fd5d75a064
---> b88843019ff4
Step 3/3 : COPY some-dir /srv/
---> 8c6a5b4a960f
Successfully built 8c6a5b4a960f
> docker run -it 8c6a5b4a960f
/ # ls -lnd /srv
drwxrwxrwx 1 0 0 4096 Jun 14 09:03 /srv
/ # ls -ln /srv
total 0
-rwx---rwx 1 0 0 0 Jun 14 08:02 some-file
/ #
> docker run -it -v "$(pwd):/workspace" gcr.io/kaniko-project/executor:debug --context /workspace --dockerfile Dockerfile --no-push --destination kanikodemo --tarPath kanikodemo.tar
INFO[0000] Retrieving image manifest alpine:3.15
INFO[0000] Retrieving image alpine:3.15 from registry index.docker.io
INFO[0001] Built cross stage deps: map[]
INFO[0001] Retrieving image manifest alpine:3.15
INFO[0001] Returning cached image manifest
INFO[0001] Executing 0 build triggers
INFO[0001] Unpacking rootfs as cmd RUN chmod 777 /srv requires it.
INFO[0001] RUN chmod 777 /srv
INFO[0001] Taking snapshot of full filesystem...
INFO[0001] cmd: /bin/sh
INFO[0001] args: [-c chmod 777 /srv]
INFO[0001] Running: [/bin/sh -c chmod 777 /srv]
INFO[0001] Taking snapshot of full filesystem...
INFO[0001] COPY some-dir /srv/
INFO[0001] Taking snapshot of files...
INFO[0001] Skipping push to container registry due to --no-push flag
> docker image load < kanikodemo.tar
d73503444b9f: Loading layer [==================================================>] 258B/258B
62df7664615b: Loading layer [==================================================>] 335B/335B
Loaded image: kanikodemo:latest
> docker run -it kanikodemo:latest
/ # ls -lnd /srv
drwx------ 1 1000 1000 4096 Jun 14 09:08 /srv
/ # ls -ln /srv
total 0
-rwx---rwx 1 1000 1000 0 Jun 14 09:08 some-file
/ #
NB: In the timestamp of some-file, you can also see a violation of:
If
<src>is a directory, the entire contents of the directory are copied, including filesystem metadata.
I frankly don't care enough about that to open a separate issue for it.
Additional Information This was identified with the official container image for Kaniko 1.8.1.
Triage Notes for the Maintainers
| Description | Yes/No |
|---|---|
| Please check if this a new feature you are proposing |
|
| Please check if the build works in docker but not in kaniko |
|
Please check if this error is seen when you use --cache flag |
|
| Please check if your dockerfile is a multistage dockerfile |
|
