kaniko
kaniko copied to clipboard
GoogleContainerTools
COPY --chmod=444 produces wrong directory permissions in v1.23.0
Actual behavior
COPY --chmod=444 test/ /file/ does not behave as expected. It drops execute permission from directories making it impossible for a non-root user to access the copied directory. This is handled correctly with docker build.
% docker run --rm -v $(pwd):/files gcr.io/kaniko-project/executor:v1.23.0 --context /files --dockerfile /files/dockerfile --no-push
INFO[0000] Retrieving image manifest ubuntu
INFO[0000] Retrieving image ubuntu from registry index.docker.io
INFO[0006] Built cross stage deps: map[]
INFO[0006] Retrieving image manifest ubuntu
INFO[0006] Returning cached image manifest
INFO[0006] Executing 0 build triggers
INFO[0006] Building stage 'ubuntu' [idx: '0', base-idx: '-1']
INFO[0006] Unpacking rootfs as cmd COPY --chmod=444 test/ /file/ requires it.
INFO[0009] COPY --chmod=444 test/ /file/
INFO[0009] Taking snapshot of files...
INFO[0009] USER nobody
INFO[0009] Cmd: USER
INFO[0009] RUN ls -al /file
INFO[0009] Initializing snapshotter ...
INFO[0009] Taking snapshot of full filesystem...
INFO[0009] Cmd: /bin/sh
INFO[0009] Args: [-c ls -al /file]
INFO[0009] Util.Lookup returned: &{Uid:65534 Gid:65534 Username:nobody Name:nobody HomeDir:/nonexistent}
INFO[0009] Performing slow lookup of group ids for nobody
INFO[0009] Running: [/bin/sh -c ls -al /file]
ls: cannot access '/file/.': Permission denied
ls: cannot access '/file/..': Permission denied
ls: cannot access '/file/orc-image.py': Permission denied
ls: cannot access '/file/orc-prod.json': Permission denied
ls: cannot access '/file/orc-qa.json': Permission denied
ls: cannot access '/file/prod-deployments.yml': Permission denied
ls: cannot access '/file/qa-deployments.yml': Permission denied
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
-????????? ? ? ? ? ? orc-image.py
-????????? ? ? ? ? ? orc-prod.json
-????????? ? ? ? ? ? orc-qa.json
-????????? ? ? ? ? ? prod-deployments.yml
-????????? ? ? ? ? ? qa-deployments.yml
error building image: error building stage: failed to execute command: waiting for process to exit: exit status 1
Expected behavior
Permissions in the resultant image should match what docker build would produce:
% docker build -t test .
[+] Building 0.1s (8/8) FINISHED docker:orbstack
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 111B 0.0s
=> [internal] load metadata for docker.io/library/ubuntu:latest 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 233B 0.0s
=> [1/3] FROM docker.io/library/ubuntu:latest 0.0s
=> CACHED [2/3] COPY --chmod=444 test/ /file/ 0.0s
=> [3/3] RUN ls -al /file 0.1s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:1f2b02e83e2daa059665c7eb899f429ffb861689bc282c91e59165be68c335bf 0.0s
=> => naming to docker.io/library/test 0.0s
% docker run --rm -it test ls -al /file
total 54752
drwxr-xr-x 1 root root 148 May 16 15:38 .
drwxr-xr-x 1 root root 0 May 16 15:50 ..
-r--r--r-- 1 root root 1174 May 3 21:05 orc-image.py
-r--r--r-- 1 root root 20460918 May 3 19:45 orc-prod.json
-r--r--r-- 1 root root 14150325 May 3 19:45 orc-qa.json
-r--r--r-- 1 root root 10460937 May 3 20:36 prod-deployments.yml
-r--r--r-- 1 root root 10983529 May 3 19:53 qa-deployments.yml
To Reproduce Steps to reproduce the behavior:
Run a build:
- failing build ->
docker run --rm -v $(pwd):/files gcr.io/kaniko-project/executor:v1.23.0 --context /files --dockerfile /files/dockerfile --no-push - working build ->
docker run --rm -v $(pwd):/files gcr.io/kaniko-project/executor:v1.22.0 --context /files --dockerfile /files/dockerfile --no-push - working with
docker build->docker build -t test .
Additional Information
- Dockerfile Dockerfile:
FROM ubuntu
COPY --chmod=444 test/ /file/
USER nobody
RUN ls -al /file
- Build Context
Using the provided dockerfile, you need a test/ directory that contains files to copy. The specifics of the files themselves do not appear to be releveant.
- Kaniko Image (fully qualified with digest)
gcr.io/kaniko-project/executor@sha256:5921c3c4a992cad7e20d60e46aac8926baa2c8ed716d0f5ffc2c9e1e166e6286
Triage Notes for the Maintainers
| Description | Yes/No |
|---|---|
| Please check if this a new feature you are proposing |
|
| Please check if the build works in docker but not in kaniko |
|
Please check if this error is seen when you use --cache flag |
|
| Please check if your dockerfile is a multistage dockerfile |
|
https://github.com/GoogleContainerTools/kaniko/issues/2850 might be related to this ..
