You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Actual behavior COPY --chmod=444 test/ /file/ does not behave as expected. It drops execute permission from directories making it impossible for a non-root user to access the copied directory. This is handled correctly with docker build.
% docker run --rm -v $(pwd):/files gcr.io/kaniko-project/executor:v1.23.0 --context /files --dockerfile /files/dockerfile --no-push
INFO[0000] Retrieving image manifest ubuntu
INFO[0000] Retrieving image ubuntu from registry index.docker.io
INFO[0006] Built cross stage deps: map[]
INFO[0006] Retrieving image manifest ubuntu
INFO[0006] Returning cached image manifest
INFO[0006] Executing 0 build triggers
INFO[0006] Building stage 'ubuntu' [idx: '0', base-idx: '-1']
INFO[0006] Unpacking rootfs as cmd COPY --chmod=444 test/ /file/ requires it.
INFO[0009] COPY --chmod=444 test/ /file/
INFO[0009] Taking snapshot of files...
INFO[0009] USER nobody
INFO[0009] Cmd: USER
INFO[0009] RUN ls -al /file
INFO[0009] Initializing snapshotter ...
INFO[0009] Taking snapshot of full filesystem...
INFO[0009] Cmd: /bin/sh
INFO[0009] Args: [-c ls -al /file]
INFO[0009] Util.Lookup returned: &{Uid:65534 Gid:65534 Username:nobody Name:nobody HomeDir:/nonexistent}
INFO[0009] Performing slow lookup of group ids for nobody
INFO[0009] Running: [/bin/sh -c ls -al /file]
ls: cannot access '/file/.': Permission denied
ls: cannot access '/file/..': Permission denied
ls: cannot access '/file/orc-image.py': Permission denied
ls: cannot access '/file/orc-prod.json': Permission denied
ls: cannot access '/file/orc-qa.json': Permission denied
ls: cannot access '/file/prod-deployments.yml': Permission denied
ls: cannot access '/file/qa-deployments.yml': Permission denied
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
-????????? ? ? ? ? ? orc-image.py
-????????? ? ? ? ? ? orc-prod.json
-????????? ? ? ? ? ? orc-qa.json
-????????? ? ? ? ? ? prod-deployments.yml
-????????? ? ? ? ? ? qa-deployments.yml
error building image: error building stage: failed to execute command: waiting for process to exit: exit status 1
Expected behavior
Permissions in the resultant image should match what docker build would produce:
% docker build -t test .
[+] Building 0.1s (8/8) FINISHED docker:orbstack
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 111B 0.0s
=> [internal] load metadata for docker.io/library/ubuntu:latest 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 233B 0.0s
=> [1/3] FROM docker.io/library/ubuntu:latest 0.0s
=> CACHED [2/3] COPY --chmod=444 test/ /file/ 0.0s
=> [3/3] RUN ls -al /file 0.1s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:1f2b02e83e2daa059665c7eb899f429ffb861689bc282c91e59165be68c335bf 0.0s
=> => naming to docker.io/library/test 0.0s
% docker run --rm -it test ls -al /file
total 54752
drwxr-xr-x 1 root root 148 May 16 15:38 .
drwxr-xr-x 1 root root 0 May 16 15:50 ..
-r--r--r-- 1 root root 1174 May 3 21:05 orc-image.py
-r--r--r-- 1 root root 20460918 May 3 19:45 orc-prod.json
-r--r--r-- 1 root root 14150325 May 3 19:45 orc-qa.json
-r--r--r-- 1 root root 10460937 May 3 20:36 prod-deployments.yml
-r--r--r-- 1 root root 10983529 May 3 19:53 qa-deployments.yml
working build -> docker run --rm -v $(pwd):/files gcr.io/kaniko-project/executor:v1.22.0 --context /files --dockerfile /files/dockerfile --no-push
working with docker build -> docker build -t test .
Additional Information
Dockerfile
Dockerfile:
FROM ubuntu
COPY --chmod=444 test/ /file/
USER nobody
RUN ls -al /file
Build Context
Using the provided dockerfile, you need a test/ directory that contains files to copy. The specifics of the files themselves do not appear to be releveant.
arlaneenalra
changed the title
COPY --chomd=444 produces wrong directory permissions in v1.23.0
COPY --chmod=444 produces wrong directory permissions in v1.23.0
May 16, 2024
Actual behavior
COPY --chmod=444 test/ /file/
does not behave as expected. It drops execute permission from directories making it impossible for a non-root user to access the copied directory. This is handled correctly with docker build.Expected behavior
Permissions in the resultant image should match what
docker build
would produce:To Reproduce
Steps to reproduce the behavior:
Run a build:
docker run --rm -v $(pwd):/files gcr.io/kaniko-project/executor:v1.23.0 --context /files --dockerfile /files/dockerfile --no-push
docker run --rm -v $(pwd):/files gcr.io/kaniko-project/executor:v1.22.0 --context /files --dockerfile /files/dockerfile --no-push
docker build
->docker build -t test .
Additional Information
Dockerfile:
Using the provided dockerfile, you need a
test/
directory that contains files to copy. The specifics of the files themselves do not appear to be releveant.Triage Notes for the Maintainers
--cache
flagThe text was updated successfully, but these errors were encountered: