New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions problem on Docker 1.8 when reading from stdin #15785
Comments
docker version: 1.8.1, build d12ea79
uname -a:
|
Yes there was a change in logic. The client is now extracting the tar to a tmp dir. Not sure why you don't have write perms on the temp dir... but in any case I'm not sure why we are extracting to disk here. |
|
What could be the cause of those permission problems? |
I'm hitting this as well, despite executing This sort of breaks the "tar and output to standard out and take that as a new context" way of achieving nested builds. I'm not sure what else to do right now to workaround this. |
It may be important that we run docker client as normal user added to |
This is 100% because you don't have write access to |
I have full access to local /tmp |
I also have full access to /tmp, and as described, already regranted permissions to user, group and others to the contents of the tar'd context. |
It's not that, it's that the user doesn't have permission to |
Seem to have same issue but on OSX with docker-machine
edit: |
Oh right, I see lchown in the error now. |
Any suggestions for workarounds besides downgrading docker? |
@colemickens the description on the issue gives a workaround by adding |
could it be this aufs specific permission bug (long read!): #783 (comment) |
I'm using |
USER POLL The best way to get notified when there are changes in this discussion is by clicking the Subscribe button in the top right. The people listed below have appreciated your meaningfull discussion with a random +1: |
Awesome ;] My usecase is the same as Riklaunim's. |
What's the latest version that doesn't have this issue? |
1.7.X |
Either there should be a documented backward incompatible change with a new solution or the backward compatibility retained. (sudo is not the perfect solution) |
This is bug, not documentation issue.
The solution would be to:
|
Ah, you're right.
@jlhawn so, IIUC, all it needs is the Dockerfile, and being able to send the patched Dockerfile to the builder. Would it be an option to only extract the Dockerfile, and send that separately from the build-context? |
The Dockerfile has to be in the context, which means included in the tar archive which is uploaded. I think the best solution may be to special-case the situation where build context is read from @tiborvass, as you are currently working on builder-related things, what is your opinion on this issue and how to best resolve it? |
I don't know what tool/lib you use to work on archives, but can't you just replace single file rather that extracting and repacking whole archive? For example standard GNU tar support such operations: https://www.gnu.org/software/tar/manual/html_section/tar_32.html |
So, I take it that this isn't being fixed for 1.9.0 then? |
@colemickens no, there wasn't time to look at this properly before the 1.9 code freeze. |
+1, still present in 1.9. I can't upgrade until that's fixed. |
FYI, this definitely kills Circle (they use 1.8+). 😠 I think Codeship is affected as well?
UPDATE: Circle has broken the ability to manually override Docker versions twice in the past two months. Their work-around can no longer be considered viable. |
A temporary workaround for Docker 1.8 / 1.9: |
Ping @docker/security-team! |
Having to do the kinds of gymnastics @lidel describes in his #15785 (comment) for a regression that has been identified since August does not seem reasonable, especially where the source of the problem appears to have been identified (see this #14546 (comment)). Will a fix still be included in the next release? This appears to be frustrating |
Given that there is not a formal proposal to completely fix this issue, I think we should remove the context switch by default until we have a better solution. I opened #19099 that fixes this issue for all builds with content trust disabled. Content Trust is not on by default yet, so we should be okay with having some issues there. If #19099 is merged, all builds will work as expected as long as you don't have Content Trust enabled. This issue still remains if you have Content Trust enabled. |
hehe, might want to reopen. Github tried to be smart.
|
Hah, yes, I saw that one coming :-) |
Hm, only might be confusing on the milestone, so perhaps we should remove the priority label now :/ |
I don't think #19099 changes this much because the problem doesn't seem to be the dockerfile rewriting but initial extraction from stdin or http to a temp directory. Extracting from URL isn't exactly safe as well so we should try to use the tar directly and modify the it on-the-fly(this is already done for dockerfile rewriting). The difficult thing about this seems to be handling |
Fixes moby#15785 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Fixes moby#15785 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
- Docker 1.10 fixed bug moby/moby#15785
This is especially thanks to moby/moby#15785 and thus moby/moby@c8cc4fb.
This is especially thanks to moby/moby#15785 and thus moby/moby@c8cc4fb.
This is especially thanks to moby/moby#15785 and thus moby/moby@c8cc4fb.
In my build scripts I have a line like so:
It does work on Docker < 1.8 but on 1.8 it now throws:
I can change it to use sudo:
and then it works, but I wonder if it's a bug or some change that affects permissions/users.
The text was updated successfully, but these errors were encountered: