-
Notifications
You must be signed in to change notification settings - Fork 766
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secret mounts with relative paths do not take WORKDIR into account #4491
Labels
Comments
Looks similar to this one #4452, I'll create a PR for this. |
flouthoc
added a commit
to flouthoc/buildah
that referenced
this issue
Jan 6, 2023
When working with `--mount=type=secret` allow `target`/`dst` to accept relative paths w.r.t to the configured work dir. See detailed use-case here: containers#4491 Closes: containers#4491 **Steps to reproduce the issue from containers#4491:** 1. Create Dockerfile and Makefile: Dockerfile: ``` FROM docker.io/ubuntu:22.04 WORKDIR /somedir RUN --mount=type=secret,id=secret-foo,dst=secret1.txt --mount=type=secret,id=secret-bar,dst=secret2.txt \ printf "PWD=%s\n" "$(pwd)" && ls -la && ls -la / && stat secret1.txt && stat secret2.txt && \ cp secret1.txt /root/secret-foo.txt && \ cp secret2.txt /root/secret-bar.txt ``` Makefile: ``` DOCKER ?= docker .PHONY: build-container build-container: rm -rf build mkdir build echo "secret:foo" >build/secret1.txt echo "secret:bar" >build/secret2.txt buildah --no-cache --secret id=secret-foo,src=build/secret1.txt --secret id=secret-bar,src=build/secret2.txt -t defanator/example:tag1 . podman run --rm -t -i defanator/example:tag1 cat /root/secret-foo.txt podman run --rm -t -i defanator/example:tag1 cat /root/secret-bar.txt podman rmi defanator/example:tag1 ``` ``` make ``` Signed-off-by: Aditya R <arajan@redhat.com>
Hi @defanator , Thanks for the reporting the issue i was able to recreate it from the reproducer shared and I have created a PR #4509 which should close this. |
flouthoc
added a commit
to flouthoc/buildah
that referenced
this issue
Jan 9, 2023
When working with `--mount=type=secret` allow `target`/`dst` to accept relative paths w.r.t to the configured work dir. See detailed use-case here: containers#4491 Closes: containers#4491 **Steps to reproduce the issue from containers#4491:** 1. Create Dockerfile and Makefile: Dockerfile: ``` FROM docker.io/ubuntu:22.04 WORKDIR /somedir RUN --mount=type=secret,id=secret-foo,dst=secret1.txt --mount=type=secret,id=secret-bar,dst=secret2.txt \ printf "PWD=%s\n" "$(pwd)" && ls -la && ls -la / && stat secret1.txt && stat secret2.txt && \ cp secret1.txt /root/secret-foo.txt && \ cp secret2.txt /root/secret-bar.txt ``` Makefile: ``` DOCKER ?= docker .PHONY: build-container build-container: rm -rf build mkdir build echo "secret:foo" >build/secret1.txt echo "secret:bar" >build/secret2.txt buildah --no-cache --secret id=secret-foo,src=build/secret1.txt --secret id=secret-bar,src=build/secret2.txt -t defanator/example:tag1 . podman run --rm -t -i defanator/example:tag1 cat /root/secret-foo.txt podman run --rm -t -i defanator/example:tag1 cat /root/secret-bar.txt podman rmi defanator/example:tag1 ``` ``` make ``` Signed-off-by: Aditya R <arajan@redhat.com>
flouthoc
added a commit
to flouthoc/buildah
that referenced
this issue
Jan 9, 2023
When working with `--mount=type=secret` allow `target`/`dst` to accept relative paths w.r.t to the configured work dir. See detailed use-case here: containers#4491 Closes: containers#4491 **Steps to reproduce the issue from containers#4491:** 1. Create Dockerfile and Makefile: Dockerfile: ``` FROM docker.io/ubuntu:22.04 WORKDIR /somedir RUN --mount=type=secret,id=secret-foo,dst=secret1.txt --mount=type=secret,id=secret-bar,dst=secret2.txt \ printf "PWD=%s\n" "$(pwd)" && ls -la && ls -la / && stat secret1.txt && stat secret2.txt && \ cp secret1.txt /root/secret-foo.txt && \ cp secret2.txt /root/secret-bar.txt ``` Makefile: ``` DOCKER ?= docker .PHONY: build-container build-container: rm -rf build mkdir build echo "secret:foo" >build/secret1.txt echo "secret:bar" >build/secret2.txt buildah --no-cache --secret id=secret-foo,src=build/secret1.txt --secret id=secret-bar,src=build/secret2.txt -t defanator/example:tag1 . podman run --rm -t -i defanator/example:tag1 cat /root/secret-foo.txt podman run --rm -t -i defanator/example:tag1 cat /root/secret-bar.txt podman rmi defanator/example:tag1 ``` ``` make ``` Signed-off-by: Aditya R <arajan@redhat.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Building a container from Dockerfile with
WORKDIR
+ using--mount=type=secret
with relative destination path leads to inconsistent behavior.Steps to reproduce the issue:
Dockerfile:
Makefile:
DOCKER=podman make
.Describe the results you received:
Secrets are being created in
/
, while commands are being executed under/somedir
:Describe the results you expected:
Successful build + run with secrets created in
/somedir
:Running
podman
withWORKDIR
commented in Dockerfile works:Obviously, using absolute paths both in mount
dst=
option and after in commands also works.Additional information you deem important (e.g. issue happens only occasionally):
100% reproducible, tested in root-less mode only.
Output of
podman version
:Output of
podman info
:Package info (e.g. output of
rpm -q podman
orapt list podman
orbrew info podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?
No
Additional environment details (AWS, VirtualBox, physical, etc.):
OS details:
The text was updated successfully, but these errors were encountered: