kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard
verified publisher icon GoogleContainerTools

Kaniko loses sticky bit on /tmp after COPY, causing apt-get update failures

Open ripiomatiascalvo opened this issue 11 months ago • 3 comments

Actual behavior When building an image with Kaniko that copies files into /tmp, the permissions on /tmp get changed from drwxrwxrwt (1777) to drwxrwxr-x (0775) (the sticky bit is lost). As a result, running apt-get update fails with:

Couldn't create temporary file /tmp/apt.conf.xxxxx for passing config to apt-key
...
The repository ... is not signed.

In contrast, the same Dockerfile works as expected with docker build, and /tmp retains the sticky bit.

Expected behavior Kaniko should preserve the sticky bit on /tmp so that apt-get commands (and other processes that rely on /tmp being 1777) do not fail. The build should succeed similarly to how it does with Docker.

To Reproduce

  1. Create a minimal Dockerfile (example below) that copies a folder into /tmp and then runs apt-get update.
  2. Build the image with Kaniko using a command like:
docker run --rm -it \
  -v "$PWD":/workspace \
  -w /workspace \
  gcr.io/kaniko-project/executor:latest \
  --dockerfile Dockerfile \
  --context dir:///workspace \
  --destination localhost:5000/test:latest
  1. Observe that apt-get update fails with an error about creating temporary files in /tmp.

Additional Information

  • Dockerfile (simplified example reproducing the issue):
FROM public.ecr.aws/lts/ubuntu:20.04_stable

# Copy files into /tmp
COPY lib/. /tmp/

# Now apt-get update will fail due to lost sticky bit on /tmp
RUN apt-get update && apt-get install -y curl

  • Build Context The lib directory contains arbitrary files (empty files/folders is enough to reproduce). The presence of that copy to /tmp is what changes the directory’s permissions.

  • Kaniko Image (fully qualified with digest) gcr.io/kaniko-project/executor:latest (Also tested with other Kaniko versions. Same result.)

Triage Notes for the Maintainers

Description Yes/No Please check if this is a new feature you are proposing - [ ] Please check if the build works in docker but not in kaniko - [x] Please check if this error is seen when you use --cache flag - [ ] Please check if your dockerfile is a multistage dockerfile - [ ] The same Dockerfile works fine with docker build. With Kaniko, /tmp is changed to drwxrwxr-x (0775), losing the sticky bit, which breaks apt-get. This issue persists even if you do RUN chmod 1777 /tmp in a prior layer, because the subsequent COPY seems to overwrite permissions.

ripiomatiascalvo avatar Jan 24 '25 15:01 ripiomatiascalvo

[INFO] [Fri Jan 24 13:52:54 UTC 2025]: W: GPG error: http://archive.ubuntu.com/ubuntu focal-updates InRelease: Couldn't create temporary file /tmp/apt.conf.3EWMzP for passing config to apt-key

ripiomatiascalvo avatar Jan 28 '25 13:01 ripiomatiascalvo

I'm having the same error

matiasgonzalocalvo avatar Feb 04 '25 16:02 matiasgonzalocalvo

any solution ?

ripiomatiascalvo avatar Feb 07 '25 15:02 ripiomatiascalvo