kaniko
kaniko copied to clipboard
GoogleContainerTools
Default GID for USER command is not zero
Actual behavior Primary group has the same ID as the user.
Expected behavior
Primary group should be zero, e.g. root , if not specified according to Dockerfile reference.
To Reproduce Steps to reproduce the behavior:
With the following Dockerfile:
FROM docker.io/bitnami/minideb:bullseye
USER 1001
RUN id
$ docker run --rm -i -t -v $(pwd):/workspace gcr.io/kaniko-project/executor:v1.19.2 --no-push
INFO[0000] Retrieving image manifest docker.io/bitnami/minideb:bullseye
INFO[0000] Retrieving image docker.io/bitnami/minideb:bullseye from registry index.docker.io
INFO[0002] Built cross stage deps: map[]
INFO[0002] Retrieving image manifest docker.io/bitnami/minideb:bullseye
INFO[0002] Returning cached image manifest
INFO[0002] Executing 0 build triggers
INFO[0002] Building stage 'docker.io/bitnami/minideb:bullseye' [idx: '0', base-idx: '-1']
INFO[0002] Unpacking rootfs as cmd RUN id requires it.
INFO[0019] USER 1001
INFO[0019] Cmd: USER
INFO[0019] RUN id
INFO[0019] Initializing snapshotter ...
INFO[0019] Taking snapshot of full filesystem...
INFO[0020] Cmd: /bin/sh
INFO[0020] Args: [-c id]
INFO[0020] Util.Lookup returned: &{Uid:1001 Gid: Username: Name: HomeDir:/}
INFO[0020] Performing slow lookup of group ids for
INFO[0020] Running: [/bin/sh -c id]
uid=1001 gid=1001 groups=1001
$ docker version
Client: Docker Engine - Community
Version: 24.0.7
API version: 1.43
Go version: go1.20.10
Git commit: afdd53b
Built: Thu Oct 26 09:07:41 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.7
API version: 1.43 (minimum version 1.12)
Go version: go1.20.10
Git commit: 311b9ff
Built: Thu Oct 26 09:07:41 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.25
GitCommit: d8f198a4ed8892c764191ef7b3b06d8a2eeb5c7f
runc:
Version: 1.1.10
GitCommit: v1.1.10-0-g18a0cb0
docker-init:
Version: 0.19.0
GitCommit: de40ad0
$ docker build --progress=plain --no-cache --file Dockerfile .
#0 building with "default" instance using docker driver
#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.1s
#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 96B done
#2 DONE 0.0s
#3 [internal] load metadata for docker.io/bitnami/minideb:bullseye
#3 DONE 0.8s
#4 [1/2] FROM docker.io/bitnami/minideb:bullseye@sha256:af1a5130dbcebe36c432eb266cf52ec68cd5e54ab43ee98a7135dde358a68d7c
#4 CACHED
#5 [2/2] RUN id
#5 0.510 uid=1001 gid=0(root) groups=0(root)
Additional Information
- Kaniko Image -
gcr.io/kaniko-project/executor@sha256:f913ab076f92f1bdca336ab8514fea6e76f0311e52459cce5ec090c120885c8b
Triage Notes for the Maintainers
| Description | Yes/No |
|---|---|
| Please check if this a new feature you are proposing |
|
| Please check if the build works in docker but not in kaniko |
|
Please check if this error is seen when you use --cache flag |
|
| Please check if your dockerfile is a multistage dockerfile |
|
Possible related fix at https://github.com/GoogleContainerTools/kaniko/pull/2494
Possible related fix at #2494
Looking at the diff there, I don't think so - UserCommand don't appear to use GetUserGroup.