for-mac
for-mac copied to clipboard
docker
Upgrade to Version 4.34.0 with VirtioFS breaks file permissions again
Description
We had the issue that a team member was not able to run composer install in a docker container without any git dubious ownership errors in some composer packages.
I was trying to reproduce the issue and could not find any issue at first until I saw that there is a docker.app upgrade from version 4.33.0 to 4.34.0. Finally I could reproduce the issue. I was downgrading docker to 4.33.0 again for reproducing the previous state. It was running fine, but not with 4.34.0. After checking the issues I found the issues about permission issues with virtioFS. I tried the upgrade again with version 4.34.0 and switched the file sharing settings from VirtioFS to gRPC FUSE and it was working as expected.
Reproduce
- Upgrade Docker.app to 4.34.0 and restart app (file sharing is set to VirtioFS in docker)
- In a docker stack with a composer.json with some git based packages delete the vendor directory.
- Run
docker compose exec containername bashto get into the container console - Run
composer install - You will get some of the following errors while installing a some composer packages:
Install of any/package failedThe cloning process into a directory will fail with this error summary:fatal: detected dubious ownership in repository at 'install target directory'
Expected behavior
Install process with composer install run without any (permission) errors.
docker version
Client:
Version: 27.2.0
API version: 1.47
Go version: go1.21.13
Git commit: 3ab4256
Built: Tue Aug 27 14:14:45 2024
OS/Arch: darwin/arm64
Context: desktop-linux
Server: Docker Desktop 4.34.0 (165256)
Engine:
Version: 27.2.0
API version: 1.47 (minimum version 1.24)
Go version: go1.21.13
Git commit: 3ab5c7d
Built: Tue Aug 27 14:15:41 2024
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.7.20
GitCommit: 8fc6bcff51318944179630522a095cc9dbf9f353
runc:
Version: 1.1.13
GitCommit: v1.1.13-0-g58aa920
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
Client:
Version: 27.2.0
Context: desktop-linux
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.16.2-desktop.1
Path: /Users/username/.docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.29.2-desktop.2
Path: /Users/username/.docker/cli-plugins/docker-compose
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.34
Path: /Users/username/.docker/cli-plugins/docker-debug
desktop: Docker Desktop commands (Alpha) (Docker Inc.)
Version: v0.0.15
Path: /Users/username/.docker/cli-plugins/docker-desktop
dev: Docker Dev Environments (Docker Inc.)
Version: v0.1.2
Path: /Users/username/.docker/cli-plugins/docker-dev
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.25
Path: /Users/username/.docker/cli-plugins/docker-extension
feedback: Provide feedback, right in your terminal! (Docker Inc.)
Version: v1.0.5
Path: /Users/username/.docker/cli-plugins/docker-feedback
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.3.0
Path: /Users/username/.docker/cli-plugins/docker-init
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/username/.docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.13.0
Path: /Users/username/.docker/cli-plugins/docker-scout
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 81
Server Version: 27.2.0
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353
runc version: v1.1.13-0-g58aa920
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
cgroupns
Kernel Version: 6.10.4-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 10
Total Memory: 9.706GiB
Name: docker-desktop
ID: 4e2c7e85-7a13-40e7-9f3b-7b6497b95c22
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Labels:
com.docker.desktop.address=unix:///Users/username/Library/Containers/com.docker.docker/Data/docker-cli.sock
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false
Diagnostics ID
CDFACD1D-F7C3-4893-A89D-9066ADF69301
Additional Info
No response
Hm.. wondering if this is related to CVE-2024-32004 - the fix for that introduced an error message about "dubious ownership"; https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8
Looks like VirtioFS was broken on purpose to sell the new subscription only filesharing. downgrading to 4.33 fixed misc. filesharing related issues.
Still an issue on 4.34.3. Steps I executed to reproduce this issue: The issue is that git directories created are owned by root and not by "you". Commands run in php:8.3.12-fpm-alpine3.20@sha256:14c0faa46fc5c34c662950b607562f67de5c34a5df4d431274fc13ad76744060
/app $ id -u
503
/app $ id -g
20
/app $ cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
...
nobody:x:65534:65534:nobody:/:/sbin/nologin
www-data:x:82:82:Linux User,,,:/home/www-data:/sbin/nologin
app:x:503:20:Linux User,,,:/home/app:/sbin/nologin
/app $ cat /etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
...
ping:x:999:
nogroup:x:65533:
nobody:x:65534:
app:x:20:app
Without VirtioFS, no permission issues:
# Clone From local directory
/app $ git clone --no-checkout '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/' '/app/vendor/test/bundle' --dissociate
--reference '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/'
Cloning into '/app/vendor/test/bundle'...
done.
Enumerating objects: 324, done.
Counting objects: 100% (324/324), done.
Delta compression using up to 8 threads
Compressing objects: 100% (142/142), done.
Writing objects: 100% (324/324), done.
Total 324 (delta 134), reused 324 (delta 134), pack-reused 0 (from 0)
# Permissions of local path thats cloned
/app $ ls -la ~/.composer/cache/vcs/https---bitbucket.org-bundle.git/
total 44
drwxr-sr-x 7 app dialout 4096 Oct 11 10:27 .
drwxr-sr-x 7 app dialout 4096 Oct 11 10:27 ..
-rw-r--r-- 1 app dialout 21 Oct 11 10:27 HEAD
drwxr-sr-x 2 app dialout 4096 Oct 11 10:27 branches
-rw-r--r-- 1 app dialout 333 Oct 11 10:27 config
-rw-r--r-- 1 app dialout 73 Oct 11 10:27 description
drwxr-sr-x 2 app dialout 4096 Oct 11 10:27 hooks
drwxr-sr-x 2 app dialout 4096 Oct 11 10:27 info
drwxr-sr-x 4 app dialout 4096 Oct 11 10:27 objects
-rw-r--r-- 1 app dialout 951 Oct 11 10:27 packed-refs
drwxr-sr-x 4 app dialout 4096 Oct 11 10:27 refs
# Check that permissions are app:dialout
/app $ ls -la vendor/
total 0
drwxr-xr-x 3 app dialout 96 Oct 11 10:27 .
drwxr-xr-x 33 app dialout 1056 Oct 11 10:27 ..
drwxr-xr-x 3 app dialout 96 Oct 11 10:27 test
/app $ ls -la vendor/test/
total 0
drwxr-xr-x 3 app dialout 96 Oct 11 10:27 .
drwxr-xr-x 3 app dialout 96 Oct 11 10:27 ..
drwxr-xr-x 3 app dialout 96 Oct 11 10:27 bundle
/app $ ls -la vendor/test/bundle/
total 0
drwxr-xr-x 3 app dialout 96 Oct 11 10:27 .
drwxr-xr-x 3 app dialout 96 Oct 11 10:27 ..
drwxr-xr-x 12 app dialout 384 Oct 11 10:27 .git
/app $ ls -la vendor/test/bundle/.git/
total 16
drwxr-xr-x 12 app dialout 384 Oct 11 10:27 .
drwxr-xr-x 3 app dialout 96 Oct 11 10:27 ..
-rw-r--r-- 1 app dialout 21 Oct 11 10:27 HEAD
drwxr-xr-x 2 app dialout 64 Oct 11 10:27 branches
-rw-r--r-- 1 app dialout 303 Oct 11 10:27 config
-rw-r--r-- 1 app dialout 73 Oct 11 10:27 description
drwxr-xr-x 15 app dialout 480 Oct 11 10:27 hooks
drwxr-xr-x 4 app dialout 128 Oct 11 10:27 info
drwxr-xr-x 4 app dialout 128 Oct 11 10:27 logs
drwxr-xr-x 4 app dialout 128 Oct 11 10:27 objects
-rw-r--r-- 1 app dialout 969 Oct 11 10:27 packed-refs
drwxr-xr-x 5 app dialout 160 Oct 11 10:27 refs
# Check that creating a directory has the expected permissions
/app $ rm -rf vendor/
/app $ mkdir -p vendor/test
/app $ ls -la vendor/
total 0
drwxr-xr-x 3 app dialout 96 Oct 11 10:28 .
drwxr-xr-x 33 app dialout 1056 Oct 11 10:28 ..
drwxr-xr-x 2 app dialout 64 Oct 11 10:28 test
With VirtioFS, permission issues, but only (as expected) in bind mounts:
# Clone From local directory
/app $ git clone --no-checkout '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/' '/app/vendor/test/bundle' --dissociate
--reference '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/'
Cloning into '/app/vendor/test/bundle'...
done.
Enumerating objects: 324, done.
Counting objects: 100% (324/324), done.
Delta compression using up to 8 threads
Compressing objects: 100% (141/141), done.
Writing objects: 100% (324/324), done.
Total 324 (delta 135), reused 324 (delta 135), pack-reused 0 (from 0)
# Permissions of local path thats cloned
/app $ ls -la ~/.composer/cache/vcs/https---bitbucket.org-bundle.git/
total 44
drwxr-sr-x 7 app dialout 4096 Oct 11 10:30 .
drwxr-sr-x 7 app dialout 4096 Oct 11 10:30 ..
-rw-r--r-- 1 app dialout 21 Oct 11 10:30 HEAD
drwxr-sr-x 2 app dialout 4096 Oct 11 10:30 branches
-rw-r--r-- 1 app dialout 331 Oct 11 10:30 config
-rw-r--r-- 1 app dialout 73 Oct 11 10:30 description
drwxr-sr-x 2 app dialout 4096 Oct 11 10:30 hooks
drwxr-sr-x 2 app dialout 4096 Oct 11 10:30 info
drwxr-sr-x 4 app dialout 4096 Oct 11 10:30 objects
-rw-r--r-- 1 app dialout 951 Oct 11 10:30 packed-refs
drwxr-sr-x 4 app dialout 4096 Oct 11 10:30 refs
# Check that permissions are app:dialout, but are root!
/app $ ls -la vendor/
total 0
drwxr-xr-x 3 app dialout 96 Oct 11 10:30 .
drwxr-xr-x 33 app dialout 1056 Oct 11 10:30 ..
drwxr-xr-x 3 root root 96 Oct 11 10:30 test
/app $ ls -la vendor/test/
total 0
drwxr-xr-x 3 root root 96 Oct 11 10:30 .
drwxr-xr-x 3 app dialout 96 Oct 11 10:30 ..
drwxr-xr-x 3 root root 96 Oct 11 10:30 bundle
/app $ ls -la vendor/test/bundle/
total 0
drwxr-xr-x 3 root root 96 Oct 11 10:30 .
drwxr-xr-x 3 root root 96 Oct 11 10:30 ..
drwxr-xr-x 12 root root 384 Oct 11 10:30 .git
/app $ ls -la vendor/test/bundle/.git/
total 16
drwxr-xr-x 12 root root 384 Oct 11 10:30 .
drwxr-xr-x 3 root root 96 Oct 11 10:30 ..
-rw-r--r-- 1 app dialout 21 Oct 11 10:30 HEAD
drwxr-xr-x 2 app dialout 64 Oct 11 10:30 branches
-rw-r--r-- 1 app dialout 303 Oct 11 10:30 config
-rw-r--r-- 1 app dialout 73 Oct 11 10:30 description
drwxr-xr-x 15 app dialout 480 Oct 11 10:30 hooks
drwxr-xr-x 4 app dialout 128 Oct 11 10:30 info
drwxr-xr-x 4 root root 128 Oct 11 10:30 logs
drwxr-xr-x 4 app dialout 128 Oct 11 10:30 objects
-rw-r--r-- 1 app dialout 969 Oct 11 10:30 packed-refs
drwxr-xr-x 5 app dialout 160 Oct 11 10:30 refs
# Clone From local directory into NON bind mounted path
/app $ git clone --no-checkout '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/' '/tmp/app/vendor/test/bundle' --dissociate --reference '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/'
Cloning into '/tmp/app/vendor/test/bundle'...
done.
Enumerating objects: 324, done.
Counting objects: 100% (324/324), done.
Delta compression using up to 8 threads
Compressing objects: 100% (141/141), done.
Writing objects: 100% (324/324), done.
Total 324 (delta 135), reused 324 (delta 135), pack-reused 0 (from 0)
# Check that permissions are app:dialout, which they are
/app $ ls -la /tmp/app/
total 16
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 .
drwxrwxrwt 1 app dialout 4096 Oct 11 10:31 ..
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 vendor
/app $ ls -la /tmp/app/vendor/
total 12
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 .
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 ..
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 test
/app $ ls -la /tmp/app/vendor/test/
total 12
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 .
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 ..
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 bundle
/app $ ls -la /tmp/app/vendor/test/bundle/
total 12
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 .
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 ..
drwxr-xr-x 8 app dialout 4096 Oct 11 10:31 .git
/app $ ls -la /tmp/app/vendor/test/bundle/.git/
total 48
drwxr-xr-x 8 app dialout 4096 Oct 11 10:31 .
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 ..
-rw-r--r-- 1 app dialout 21 Oct 11 10:31 HEAD
drwxr-xr-x 2 app dialout 4096 Oct 11 10:31 branches
-rw-r--r-- 1 app dialout 284 Oct 11 10:31 config
-rw-r--r-- 1 app dialout 73 Oct 11 10:31 description
drwxr-xr-x 2 app dialout 4096 Oct 11 10:31 hooks
drwxr-xr-x 2 app dialout 4096 Oct 11 10:31 info
drwxr-xr-x 3 app dialout 4096 Oct 11 10:31 logs
drwxr-xr-x 4 app dialout 4096 Oct 11 10:31 objects
-rw-r--r-- 1 app dialout 969 Oct 11 10:31 packed-refs
drwxr-xr-x 5 app dialout 4096 Oct 11 10:31 refs
# Check that creating a directory has the expected permissions
/app $ rm -rf vendor/
/app $ mkdir -p vendor/test
/app $ ls -la vendor/
total 0
drwxr-xr-x 3 app dialout 96 Oct 11 10:40 .
drwxr-xr-x 33 app dialout 1056 Oct 11 10:40 ..
drwxr-xr-x 2 app dialout 64 Oct 11 10:40 test
/app $ ls -la vendor/test/
total 0
drwxr-xr-x 2 app dialout 64 Oct 11 10:40 .
drwxr-xr-x 3 app dialout 96 Oct 11 10:40 ..
Also tested with 4.33.0 now, and works as expected with VirtioFS enabled. Will stick to this version till its resolved in 4.34
# Clone From local directory
/app $ git clone --no-checkout '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/' '/app/vendor/test/bundle' --dissociate
--reference '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/'
Cloning into '/app/vendor/test/bundle'...
done.
Enumerating objects: 324, done.
Counting objects: 100% (324/324), done.
Delta compression using up to 8 threads
Compressing objects: 100% (141/141), done.
Writing objects: 100% (324/324), done.
Total 324 (delta 135), reused 324 (delta 135), pack-reused 0 (from 0)
# Permissions of local path thats cloned
/app $ ls -la ~/.composer/cache/vcs/https---bitbucket.org-bundle.git/
total 44
drwxr-sr-x 7 app dialout 4096 Oct 11 11:14 .
drwxr-sr-x 7 app dialout 4096 Oct 11 11:15 ..
-rw-r--r-- 1 app dialout 21 Oct 11 11:14 HEAD
drwxr-sr-x 2 app dialout 4096 Oct 11 11:14 branches
-rw-r--r-- 1 app dialout 333 Oct 11 11:14 config
-rw-r--r-- 1 app dialout 73 Oct 11 11:14 description
drwxr-sr-x 2 app dialout 4096 Oct 11 11:14 hooks
drwxr-sr-x 2 app dialout 4096 Oct 11 11:14 info
drwxr-sr-x 4 app dialout 4096 Oct 11 11:14 objects
-rw-r--r-- 1 app dialout 951 Oct 11 11:14 packed-refs
drwxr-sr-x 4 app dialout 4096 Oct 11 11:14 refs
# Check that permissions are app:dialout
/app $ ls -la vendor/
total 0
drwxr-xr-x 3 app dialout 96 Oct 11 11:15 .
drwxr-xr-x 33 app dialout 1056 Oct 11 11:15 ..
drwxr-xr-x 3 app dialout 96 Oct 11 11:15 test
/app $ ls -la vendor/test/
total 0
drwxr-xr-x 3 app dialout 96 Oct 11 11:15 .
drwxr-xr-x 3 app dialout 96 Oct 11 11:15 ..
drwxr-xr-x 3 app dialout 96 Oct 11 11:15 bundle
/app $ ls -la vendor/test/bundle/
total 0
drwxr-xr-x 3 app dialout 96 Oct 11 11:15 .
drwxr-xr-x 3 app dialout 96 Oct 11 11:15 ..
drwxr-xr-x 12 app dialout 384 Oct 11 11:15 .git
/app $ ls -la vendor/test/bundle/.git/
total 16
drwxr-xr-x 12 app dialout 384 Oct 11 11:15 .
drwxr-xr-x 3 app dialout 96 Oct 11 11:15 ..
-rw-r--r-- 1 app dialout 21 Oct 11 11:15 HEAD
drwxr-xr-x 2 app dialout 64 Oct 11 11:15 branches
-rw-r--r-- 1 app dialout 303 Oct 11 11:15 config
-rw-r--r-- 1 app dialout 73 Oct 11 11:15 description
drwxr-xr-x 15 app dialout 480 Oct 11 11:15 hooks
drwxr-xr-x 4 app dialout 128 Oct 11 11:15 info
drwxr-xr-x 4 app dialout 128 Oct 11 11:15 logs
drwxr-xr-x 4 app dialout 128 Oct 11 11:15 objects
-rw-r--r-- 1 app dialout 969 Oct 11 11:15 packed-refs
drwxr-xr-x 5 app dialout 160 Oct 11 11:15 refs
The issue seems to be solved with DockerDesktop 4.35.0 released yesterday. https://docs.docker.com/desktop/release-notes/#4350
Hi, If you're still encountering this issue could you try again with the latest 4.35.1? Also it's worth looking in settings and trying it with both virtualisation.framework and Docker VMM (Settings -> General -> Virtual Machine Options) since they have subtle file ownership differences.
Let me know what happens!
I'll tentatively close this one but feel free to reopen if it still manifests with 4.37.1 (especially if it manifests with DockerVMM!)