-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unpacked images should add back file permissions for group/other. #349
Comments
Thanks for the issue. I think the solution looks good. Going to move this to carvel accepted, if someone thinks this might cause any problem with their setup, just let us know. |
@GrahamDumpleton if this is blocking you in some way let us know and we can move this to a higher priority |
For my primary use cases where permissions matter, the execution of imgpkg is wrapped up in a script so I am able to fix up permissions myself for now. |
Also asked in Slack, but will this change end up getting inherited by |
Has I replied in Slack, vendir consumes imgpkg as a binary, so as soon as we have a new version of imgpkg and you download it to your machine, it should just work with vendir |
The merged changed doesn't seem to entirely do what is required, but is very close. The problem now is that the root directory permissions aren't set right. Everything else underneath is okay.
When run under
|
Under
|
Describe the problem/challenge you have
The
imgpkg push -i
option supports being able to create OCI artefact images containing arbitrary files. Thus it can serve as the equivalent of hosting a tarball on a website, but where things are stored as an image on an image registry.As much as this appeals as a general solution for packaging up arbitrary files for distribution it suffers a problem.
The problem is that when you run
imgpkg push
the directories/files copied into the image only preserve user permissions and group/other permissions are discarded. As such, when usingimgpkg pull
to download and unpack the image, directories/files get unpacked with only user permission set. For example:This is always the case, and is nothing to do with a user using a restrictive umask. In other words this happens even if the user umask is 022, which should preserve group/other permissions for
r-x
.An example of where this is problematic is where the image artefact is used to hold source code files that a user downloads and then needs to run a
docker build
in to create a runnable container image.The problem in this case is that if files are copied into the container image using
COPY
in theDockerfile
they are done so with only user file permissions, but in the container image the files would be owned by root. If the container image is then run as non root it can't access the files copied into the container image.Describe the solution you'd like
Best solution may be to continue only storing the file permissions in the image, but when unpacking copy the user permissions to group/other, but where whether those permissions persist will depend on the users umask.
Using this approach, where a change is only made in
imgpkg pull
behaviour, any images created with an olderimgpkg
version would also work the same. So not dependent on whatimgpkg push
did.So instead of the above result, if the umask had been 022, you would get:
This is how a Git server effectively works when a fresh copy is checked out.
Anything else you would like to add:
If working in a controlled environment where you know what the umask would be, you can work around the issue if for example you know the umask would be 022, by running:
This is okay if being done in a script, but if the user is directly running the
imgpkg pull
command, it is inconvenient to have to tell them to fix up permissions.Vote on this request
This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.
👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"
We are also happy to receive and review Pull Requests if you want to help work on this issue.
The text was updated successfully, but these errors were encountered: