Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Proposal: Handling of permission bits for image context created via Windows #11047
Converting Windows file attributes + ACLs to 9-bit UNIX permissions when
Root cause 1: No 'x' (execute) bit on Windows
Quoting from SAMBA book:
Root cause 2: Go Windows Problems
Golang's os.Stat implementation is very poor:
We are hoping to address problems in golang in the long term. (fingers crossed)
We modify the perm bits of the tar header created via
We are also going to change the expected permission string
We will end up with a docker image in which all files copied from
Behavior on Linux/Mac CLIs are unchanged.
I really appreciate your input on this. That's the only thing left prevents us from getting green on Windows client CI.
First of all, thanks for looking into this. In general I can see this as a reasonable compromise (but of course hope something better can be invented in future). I'll add a couple of ideas / concerns;
@thaJeztah that is also another option. I just wanted to make sure if it is okay to drop the x bit and leave
If we can just abandon the requirement of preserving the 'x' bit when deployed from windows, it's fine with me either. I guess developers working on windows machines deploying things to Linux servers already don't use much of +x bit.
You are also right about remote git builds. If the user cares about git repo, they can use that. We don't need to find out if we're on a git repo then check index for file metadata.
In my experience with Windows filesystems on Unix systems, they're usually "everything is +x". Why not take that approach here instead? Having +x where you didn't need it is usually harmless (and only dangerous if you're especially careless), and not having +x (and thus having to set it after the COPY via "chmod") runs into AUFS issues, so that seems like a cleaner compromise from the end-user perspective IMO.
@tianon I wasn't aware of the AUFS situation tbh. That's what I initially suggested but security problems are my biggest concern. We might assume people know what they're doing by adding a warning message and just make everything
We mostly assume user knows what they COPY/ADD to container, so the only +x'ed stuff are going to be those files. And if it happens so that somebody gains shell access to inside container, they can "chmod +x" or replace system binaries anyway. I'm mostly convinced to follow "everything +x" at this point.