podman
podman copied to clipboard
containers
Podman fails to change access rights during podman build phase
Issue Description
My problem:
During buildphase i want to change the user and group access rights in an existing docker image. Therefor i have made the following Dockerfile:
FROM docker.io/xebialabs/xl-deploy:23.3.6
USER root
RUN chown -R 0:0 /opt/xebialabs
When i do:
podman build -t xebialabs-mod:latest .
I expect podman to change the ownership of the files in /opt/xebialabs from xebialabs:xebialabs to root:root.
But it does it's job partially, many files are changed except some directories.
podman run -it --entrypoint /bin/bash localhost/xebialabs-mod:latest
[root@a0a1e338b782 xl-deploy-server]# ls -l /opt/xebialabs/xl-deploy-server/
total 64
drwxrwxr-x. 1 root root 6 Apr 9 09:36 archive
drwxrwxr-x. 1 root root 4096 Apr 9 09:36 bin
drwxrwxr-x. 1 root root 4096 Apr 9 09:36 central-conf
drwxrwxr-x. 2 xebialabs xebialabs 96 Apr 1 17:58 centralConfiguration
drwxrwxr-x. 2 xebialabs xebialabs 6 Apr 9 09:36 conf
drwxrwxr-x. 1 root root 4096 Apr 9 09:36 default-conf
drwxrwxr-x. 1 root root 61 Apr 1 17:58 default-plugins
drwxrwxr-x. 1 root root 88 Apr 1 18:02 derbyns
drwxrwxr-x. 1 root root 4096 Apr 1 18:02 doc
drwxrwxr-x. 2 xebialabs xebialabs 6 Apr 9 09:36 export
drwxrwxr-x. 2 xebialabs xebialabs 65 Apr 1 17:58 ext
drwxrwxr-x. 1 root root 45 Apr 1 17:58 hotfix
drwxrwxr-x. 5 xebialabs xebialabs 84 Apr 1 17:58 importablePackages
drwxrwxr-x. 1 root root 28672 Apr 9 09:36 lib
drwxrwxr-x. 1 root root 24 Apr 1 17:58 log
drwxrwxr-x. 1 root root 37 Apr 9 09:36 node-conf
drwxrwxr-x. 2 xebialabs xebialabs 6 Apr 9 09:36 plugins
drwxrwxr-x. 1 root root 6 Apr 9 09:36 reports
drwxrwxr-x. 2 xebialabs xebialabs 6 Apr 9 09:36 repository
drwxrwxr-x. 1 root root 144 Apr 1 17:58 samples
drwxrwxr-x. 1 root root 4096 Apr 1 18:02 serviceWrapper
drwxrwxr-x. 2 xebialabs xebialabs 6 Apr 9 09:36 work
It seems that all directories previously defined as Volumes in the from/base image do not change. Why? Docker (desktop) does not have this problem but had a know bug for this.
Steps to reproduce the issue
Steps to reproduce the issue
- create Dockerfile
- podman build -t xebialabs-mod:latest .
- podman run -it --entrypoint /bin/bash localhost/xebialabs-mod:latest
Describe the results you received
Access rights on files are changed but not on directories earlier defined as Volumes in the baseimage
Describe the results you expected
Alle files and directories scoped by RUN chown -R 0:0 /opt/xebialabs are changed
podman info output
$ podman version
Client: Podman Engine
Version: 4.9.3
API Version: 4.9.3
Go Version: go1.22.0
Git Commit: 8d2b55ddde1bc81f43d018dfc1ac027c06b26a7f
Built: Tue Feb 13 23:43:32 2024
OS/Arch: darwin/amd64
Server: Podman Engine
Version: 4.9.3
API Version: 4.9.3
Go Version: go1.21.7
Built: Mon Feb 19 16:41:34 2024
OS/Arch: linux/amd64
podman version
Client: Podman Engine
Version: 4.9.3
API Version: 4.9.3
Go Version: go1.22.0
Git Commit: 8d2b55ddde1bc81f43d018dfc1ac027c06b26a7f
Built: Tue Feb 13 23:43:32 2024
OS/Arch: darwin/amd64
Server: Podman Engine
Version: 4.9.3
API Version: 4.9.3
Go Version: go1.21.7
Built: Mon Feb 19 16:41:34 2024
OS/Arch: linux/amd64
$ podman info
host:
arch: amd64
buildahVersion: 1.33.5
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.10-1.fc39.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.10, commit: '
cpuUtilization:
idlePercent: 82.27
systemPercent: 9.25
userPercent: 8.47
cpus: 1
databaseBackend: sqlite
distribution:
distribution: fedora
variant: coreos
version: "39"
eventLogger: journald
freeLocks: 1898
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 1000000
uidmap:
- container_id: 0
host_id: 1058166121
size: 1
- container_id: 1
host_id: 100000
size: 1000000
kernel: 6.7.9-200.fc39.x86_64
linkmode: dynamic
logDriver: journald
memFree: 97513472
memTotal: 2058485760
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.10.0-1.fc39.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.10.0
package: netavark-1.10.3-1.fc39.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.10.3
ociRuntime:
name: crun
package: crun-1.14.4-1.fc39.x86_64
path: /usr/bin/crun
version: |-
crun version 1.14.4
commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
rundir: /run/user/1058166121/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20240220.g1e6f92b-1.fc39.x86_64
version: |
pasta 0^20240220.g1e6f92b-1.fc39.x86_64
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/1058166121/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.2-1.fc39.x86_64
version: |-
slirp4netns version 1.2.2
commit: 0ee2d87523e906518d34a6b423271e4826f71faf
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 0
swapTotal: 0
uptime: 0h 10m 1.00s
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- docker.io
store:
configFile: /var/home/core/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /var/home/core/.local/share/containers/storage
graphRootAllocated: 106769133568
graphRootUsed: 8094015488
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 2
runRoot: /run/user/1058166121/containers
transientStore: false
volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
APIVersion: 4.9.3
Built: 1708357294
BuiltTime: Mon Feb 19 16:41:34 2024
GitCommit: ""
GoVersion: go1.21.7
Os: linux
OsArch: linux/amd64
Version: 4.9.3
$ podman machine ssh
Connecting to vm podman-machine-default. To close connection, use `~.` or `exit`
Fedora CoreOS 39.20240322.2.0
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/tag/coreos
Last login: Fri Mar 22 10:20:00 2024 from 192.168.127.1
core@localhost:~$ rpm -q podman
podman-4.9.3-1.fc39.x86_64
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
Additional environment details
Additional information
This issue happens also on a RedHat podman installation so it does not seems to be limited to Mac only.
This is one of those differences in behavior between the BuildKit-based version of docker build and the V1 version of it, where our behavior around treating VOLUME locations imitates the V1 behavior.
But this means that it is not possible to change the ownership of a directory once it is defined as a volume in the base image. Or is there a workaround to solve this? It can't be true that i have to export the container to a tar file and import it again to undo the previous volume definitions.
A friendly reminder that this issue had no activity for 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}