New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dockerfile: ADD does not honor USER: files always owned by root #6119
Comments
Cool, I'll do it on weekend :) |
FYI, I'm not sure we want this behavior, we will need to discuss first |
I'm relatively new to Docker and this had confused me at first as well. Every time I have to add files that should belong to a non-root user, I have to do I had just assumed it was expected behavior and there was a good reason for it. The documentation for
|
I don't think making |
@unclejack Why do you think this isn't a good idea? I think it's what the user expects: All following operations will be executed as the given user. |
I just got bitten by this and gotta say it's a surprise that ADD does not respect the preceding USER declaration. If someone wants to add as root, simply run ADD before the USER is set to something else, as one would do w/ RUN. +1 for this |
Keep in mind we're recommend that people run their services as a non-privileged user. Inconveniences like this behavior will prevent people from following that. |
Are there any issues running a chown after you add things? Ref: https://github.com/crosbymichael/influxdb-docker/blob/master/Dockerfile#L9 |
Doesn't AUFS have issues with tracking ownership/mode changes? |
@tianon yes |
@crosbymichael yeah, this is very inconvenient. for example I have postgres image, there is already
Also I must know about |
Proposal: a second form of the ADD command. I'd love to be able to do:
|
I open a proposal a few days ago that addresses this issue: #7537. Essentially, after talking on IRC, it was decided that only |
Hi guys, any update on this issue? |
Being forced to ADD and then RUN chown has a very nasty side-effect of artificially bloating docker images. For example:
I ran build on this once without the chown and once with:
And we can see what is happening via docker history:
When we consider that a large application might have several hundred megabytes or more, this chown becomes very expensive. |
#9934 has been opened to fix this issue (my patches were rejected). |
I had permission issues with the centos image running on MacOS/Boot2Docker 1.4.1. It cause the javaee6angularjs.war to be copied using root ownership and 740 permission. That caused WildFly to throw a FileNotFoundException. The proposed changes fix that issue by placing the file under wildfly ownership. There's a docker issue opened about that issue: moby/moby#6119
This behavior really, really needs to be changed to make sure
|
@goldmann agree on all points! |
This topic was discussed by the maintainers and, while they agreed that having For this reason, #9934 was created to come with alternatives. An implementation of this is created in #10775, which is currently under review. For those interested, please follow the review/discussion on #9934 to check progress. |
@kostickm is working on a proposal for this. |
I think fix this problem will help to decrease images size. Specify users when ADD files is a great idea! For example, if I ADD a binary like Hadoop, then chown it to hadoop user, the image size will increase 100+MB! That's why I decided to install hadoop under root user:( |
Also, if someone wants to change the owner and group owner of the files added inside the docker image via COPY or ADD, that actually increases the size of the image by the size of the files added. It would be great to have COPY2 so that the USER with whom we're actually copying the files inside the docker image becomes the owner and groupowner. |
I'm subscribed on this issue since maybe two years, and I'm really puzzled why no solution has been found, whatever this looks like One of the first arguments was that the Dockerfile format is frozen. That might have been true at that time, but does not hold anymore as there as been some changes since then (like Since the last release the option So what are the arguments against a |
@thaJeztah i tried to be ironic about the developers lamenting that fixing this bug would be a breaking change. no shit, who would have thought! just the amount of discussion that happens in the numerous threads that i encountered is a lot of time wasted, both by the developers and by the users. and all that for what? trying to protect some hypothetical users who knowingly relied on the behavior that COPY, rather surprisingly, ignores USER? what are major version numbers for? and release notes? if there actually exists anyone who relies on this bug then they should not upgrade to a new major release, or read the release notes. and let's say their code is broken because they didn't read the release notes... what about the tons of users who get bitten by this every single day? maybe one outweighs the other... |
So, this is considered to be a breaking change while renaming the whole project is not? |
This was commited a few months ago: 0725045. I'll leave it just here. |
Well, just to vent my frustration - this just caught me out (and I've been using Docker for a year now). How is this still a problem? |
Wow. I'm a complete Docker newb and just ran into this one. From my virgin perspective, I absolutely expected ADD and COPY to respect USER. That they don't was a source of considerable astonishment that increased exponentially when I saw just how long ago this issue was raised and how simple the apparent fix is. I don't generally post to zombie threads, but felt obliged to add my insignificant voice to the general chorus of bafflement expressed here. |
This issue was closed because ... ? |
As a workaround using Alpine for me it was:
|
@ehernandez-xk Hey, Looks like you didn't read the previous comments. Though this seems to be a workaround, but this is going to increase your image size by the size of your xfile. what if incase the files I'm copying inside the docker image is of 1Gb. I can't afford to have my image size increased by 1GB. |
@italomaia Not sure, why this issue was closed? @thaJeztah This is not fixed. |
It also may take an unacceptably long amount of time. |
Hey @jessfraz is the reason why this issue was closed still valid? |
Perhaps there is some way to figure out how much storage space is being used on AWS to store docker FS layers that do nothing but change ownership of a previously-copied resource, and offer a bounty based upon the cost of such storage... Who knows, maybe Amazon would like a few terabytes of storage back...
… On Jun 8, 2017, at 5:24 PM, David Antliff ***@***.***> wrote:
As with other issues, round and round we go. The fact that no Docker developer has reopened this speaks volumes about the way the Docker project is run. This is a common criticism of Docker's developers and it's a red flag for anyone thinking of building production infrastructure on Docker. I recommend looking at other options, as this situation doesn't look like it's going to improve.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#6119 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AYDy42P0kzpN4ALmiOSlagXjrfvm64JPks5sCGadgaJpZM4B_uID>.
|
@ehernandez-xk @borntorock it seems we could use --squash as a workaround simultaneously with chown |
+1 |
Personally, my biggest problem with the status quo is the amount of time the separate chown operation takes, as is seems to be copying the files as it changes ownership. Adding squash would presumably just make this worse...
… On Jun 12, 2017, at 2:11 PM, Kirill Beresnev ***@***.***> wrote:
@ehernandez-xk <https://github.com/ehernandez-xk> @borntorock <https://github.com/borntorock> it seems we could use --squash as a workaround simultaneously with chown
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#6119 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AYDy42WPKw3o-dksFpTnMulbqyASLmtqks5sDSsHgaJpZM4B_uID>.
|
TL;DR non-intuitive behavior; use |
@thiagowfx Your tl;dr summarizes a little too aggressively - it bears mentioning that this will double the size of your docker image. |
The additional build time is also a concern. For me at least, when adding a large archive, the chown -R seems to take longer than the original ADD operation.
… On Jul 11, 2017, at 4:32 PM, Paul Phillips ***@***.***> wrote:
@thiagowfx <https://github.com/thiagowfx> Your tl;dr summarizes a little too aggressively - it bears mentioning that this will double the size of your docker image.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#6119 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AYDy45yLHw__ewUuVJez78OrPBT5dYJbks5sM9vggaJpZM4B_uID>.
|
It's typically worse than just a
It can be improved by allowing your user to run Surely something like the following is better for everyone?
Can the Docker Engine plugin interface be used to implement new commands such as this? |
There is already a PR for this particular problem, but it is closed, waiting for some discussions to end. #28499 |
This is extremely painful when having to do an |
To save those who are interested in seeing this fixed a lot of time: here is the current attempt to implement a fix. |
Agree, this is not intuitive. However, under the hood, docker is running itself and the build as |
This feature has now been implemented through an optional The feature is included in Docker 17.09 and up, and allows you to do; ADD --chown=someuser:somegroup /foo /bar
COPY --chown=someuser:somegroup /foo /bar Or other combinations of user/group name (or ID);
There are two additional feature requests in this area;
Given that the original problem was addressed (the implementation is different from the one proposed in this issue, you can read the discussion in #9934 and #9934 (comment) for more background on that), I'm locking the discussion on this issue to prevent it from collecting other (possibly unrelated) comments. If you arrive on this issue because this feature is not working as expected, or you think other enhancements can be made; please open a new issue instead so that it can be tracked separately (feel free to add a link to this issue if you think it's relevant). |
Hi,
consider this Dockerfile:
/foo in the container will be owned by root, not by 'foo' as one might expect. There are easy workaround but it's still a inconsistency which should be fixed at some point.
The text was updated successfully, but these errors were encountered: