buildx icon indicating copy to clipboard operation
buildx copied to clipboard
verified publisher icon docker

different behavior of `WORKDIR` in `docker buildx build`

Open SubOptimal opened this issue 3 years ago • 0 comments

The WORKDIR instruction seems to behave different in docker build and docker buildx build runs. The directory created by docker build is owned by user root whereas by docker buildx build the directory is owned by a fomer set USER.

1. used docker version

Client: Docker Engine - Community
 Version:           20.10.18
 API version:       1.41
Server: Docker Engine - Community
 Engine:
  Version:          20.10.18
  API version:      1.41 (minimum version 1.12)

2. Dockerfile

FROM curlimages/curl:7.85.0 AS builder
RUN id
RUN ls -ld /tmp/* || true
WORKDIR /tmp/some-dir
RUN ls -ld /tmp/some-dir

The Dockerfile is the only file in the current directory where the build commands are issued. For demonstration purpose the file was not optimized in any way.

3. docker build --progress plain --no-cache --tag permissions .

Step 1/5 : FROM curlimages/curl:7.85.0 AS builder
 ---> dddbb581f872
Step 2/5 : RUN id
 ---> Running in bd3ffdaf9925
uid=100(curl_user) gid=101(curl_group) groups=101(curl_group)              <-- current user during build
Removing intermediate container bd3ffdaf9925
 ---> a961727489a3
Step 3/5 : RUN ls -ld /tmp/* || true
 ---> Running in d532a0a90f76
ls: /tmp/*: No such file or directory                                      <-- directory does not yet exist
Removing intermediate container d532a0a90f76
 ---> 5dc22221fb2e
Step 4/5 : WORKDIR /tmp/some-dir
 ---> Running in fafae35eecb4
Removing intermediate container fafae35eecb4
 ---> d097f933bb4b
Step 5/5 : RUN ls -ld /tmp/some-dir
 ---> Running in d69aa1651cdf
drwxr-xr-x    2 root     root          4096 Oct  9 21:32 /tmp/some-dir     <-- directory user/group is root/root

4. docker buildx build --progress plain --no-cache --tag permissions .

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 156B done
#1 ...

#2 [internal] load .dockerignore
#2 transferring context: 2B 0.0s done
#2 DONE 3.0s

#1 [internal] load build definition from Dockerfile
#1 DONE 3.9s

#3 [internal] load metadata for docker.io/curlimages/curl:7.85.0
#3 DONE 0.0s

#4 [1/5] FROM docker.io/curlimages/curl:7.85.0
#4 CACHED

#5 [2/5] RUN id
#5 3.062 uid=100(curl_user) gid=101(curl_group) groups=101(curl_group)               <-- current user during build
#5 DONE 4.8s

#6 [3/5] RUN ls -ld /tmp/* || true
#6 4.351 ls: /tmp/*: No such file or directory                                       <-- directory does not yet exist
#6 DONE 6.5s

#7 [4/5] WORKDIR /tmp/some-dir
#7 DONE 3.8s

#8 [5/5] RUN ls -ld /tmp/some-dir
#8 4.136 drwxr-xr-x    2 curl_use curl_gro      4096 Oct  9 21:32 /tmp/some-dir     <-- directory user/group is curl_user/curl_group

5. expected behavior

The created directory should have the same permissions in both cases.

In the documentation of Docker WORKDIR and buildx build I could not find a related section which would give a hint which behavior is the correct one to expect.

SubOptimal avatar Oct 09 '22 22:10 SubOptimal