COPY --chmod=444 produces wrong directory permissions in v1.23.0

[arlaneenalra]

Actual behavior
COPY --chmod=444 test/ /file/ does not behave as expected. It drops execute permission from directories making it impossible for a non-root user to access the copied directory. This is handled correctly with docker build.

% docker run --rm -v $(pwd):/files gcr.io/kaniko-project/executor:v1.23.0 --context /files --dockerfile /files/dockerfile --no-push
INFO[0000] Retrieving image manifest ubuntu
INFO[0000] Retrieving image ubuntu from registry index.docker.io
INFO[0006] Built cross stage deps: map[]
INFO[0006] Retrieving image manifest ubuntu
INFO[0006] Returning cached image manifest
INFO[0006] Executing 0 build triggers
INFO[0006] Building stage 'ubuntu' [idx: '0', base-idx: '-1']
INFO[0006] Unpacking rootfs as cmd COPY --chmod=444 test/ /file/ requires it.
INFO[0009] COPY --chmod=444 test/ /file/
INFO[0009] Taking snapshot of files...
INFO[0009] USER nobody
INFO[0009] Cmd: USER
INFO[0009] RUN ls -al /file
INFO[0009] Initializing snapshotter ...
INFO[0009] Taking snapshot of full filesystem...
INFO[0009] Cmd: /bin/sh
INFO[0009] Args: [-c ls -al /file]
INFO[0009] Util.Lookup returned: &{Uid:65534 Gid:65534 Username:nobody Name:nobody HomeDir:/nonexistent}
INFO[0009] Performing slow lookup of group ids for nobody
INFO[0009] Running: [/bin/sh -c ls -al /file]
ls: cannot access '/file/.': Permission denied
ls: cannot access '/file/..': Permission denied
ls: cannot access '/file/orc-image.py': Permission denied
ls: cannot access '/file/orc-prod.json': Permission denied
ls: cannot access '/file/orc-qa.json': Permission denied
ls: cannot access '/file/prod-deployments.yml': Permission denied
ls: cannot access '/file/qa-deployments.yml': Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
-????????? ? ? ? ?            ? orc-image.py
-????????? ? ? ? ?            ? orc-prod.json
-????????? ? ? ? ?            ? orc-qa.json
-????????? ? ? ? ?            ? prod-deployments.yml
-????????? ? ? ? ?            ? qa-deployments.yml
error building image: error building stage: failed to execute command: waiting for process to exit: exit status 1

Expected behavior
Permissions in the resultant image should match what docker build would produce:

% docker build -t test .
[+] Building 0.1s (8/8) FINISHED                                                                                                                                                                                                                                         docker:orbstack
 => [internal] load build definition from Dockerfile                                                                                                                                                                                                                                0.0s
 => => transferring dockerfile: 111B                                                                                                                                                                                                                                                0.0s
 => [internal] load metadata for docker.io/library/ubuntu:latest                                                                                                                                                                                                                    0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                                                                   0.0s
 => => transferring context: 2B                                                                                                                                                                                                                                                     0.0s
 => [internal] load build context                                                                                                                                                                                                                                                   0.0s
 => => transferring context: 233B                                                                                                                                                                                                                                                   0.0s
 => [1/3] FROM docker.io/library/ubuntu:latest                                                                                                                                                                                                                                      0.0s
 => CACHED [2/3] COPY --chmod=444 test/ /file/                                                                                                                                                                                                                                      0.0s
 => [3/3] RUN ls -al /file                                                                                                                                                                                                                                                          0.1s
 => exporting to image                                                                                                                                                                                                                                                              0.0s
 => => exporting layers                                                                                                                                                                                                                                                             0.0s
 => => writing image sha256:1f2b02e83e2daa059665c7eb899f429ffb861689bc282c91e59165be68c335bf                                                                                                                                                                                        0.0s
 => => naming to docker.io/library/test                                                                                                                                                                                                                                             0.0s
% docker run --rm -it test ls -al /file
total 54752
drwxr-xr-x 1 root root      148 May 16 15:38 .
drwxr-xr-x 1 root root        0 May 16 15:50 ..
-r--r--r-- 1 root root     1174 May  3 21:05 orc-image.py
-r--r--r-- 1 root root 20460918 May  3 19:45 orc-prod.json
-r--r--r-- 1 root root 14150325 May  3 19:45 orc-qa.json
-r--r--r-- 1 root root 10460937 May  3 20:36 prod-deployments.yml
-r--r--r-- 1 root root 10983529 May  3 19:53 qa-deployments.yml

To Reproduce
Steps to reproduce the behavior:

Run a build:

• failing build -> docker run --rm -v $(pwd):/files gcr.io/kaniko-project/executor:v1.23.0 --context /files --dockerfile /files/dockerfile --no-push
• working build -> docker run --rm -v $(pwd):/files gcr.io/kaniko-project/executor:v1.22.0 --context /files --dockerfile /files/dockerfile --no-push
• working with docker build -> docker build -t test .

Additional Information

• Dockerfile
  Dockerfile:

FROM ubuntu

COPY --chmod=444 test/ /file/

USER nobody

RUN ls -al /file

• Build Context

Using the provided dockerfile, you need a test/ directory that contains files to copy. The specifics of the files themselves do not appear to be releveant.

• Kaniko Image (fully qualified with digest)

gcr.io/kaniko-project/executor@sha256:5921c3c4a992cad7e20d60e46aac8926baa2c8ed716d0f5ffc2c9e1e166e6286

Triage Notes for the Maintainers

Description	Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile

[arlaneenalra]

#2850 might be related to this ..

[ssch1337]

+1 Same problem