WORKDIR doesn't respect USER when creating directories

[dmolesUC]

To reproduce, build an image from the following Dockerfile:

FROM centos:7
RUN mkdir -p /apps/foo
RUN useradd -d /apps/foo foo && \
    chown -R foo:foo /apps/foo
USER foo
WORKDIR /apps/foo/bar
RUN mkdir baz

Expected:

• directory /apps/foo/bar is owned by user foo
• directory /apps/foo/bar/baz is created

Actual:

• directory /apps/foo/bar is owned by root

  $ ls -dal /apps/foo/bar
  drwxr-xr-x 2 root root 4096 Feb 13 00:26 /apps/foo/bar
  

• the RUN mkdir baz step fails with

  mkdir: cannot create directory 'baz': Permission denied
  The command '/bin/sh -c mkdir baz' returned a non-zero code: 1
  

[dmolesUC]

Given that it's documented that USER only affects RUN, CMD and ENTRYPOINT, I suppose this is a feature request. But the current behavior seems arbitrary and un-obvious, documented or not.

[AkihiroSuda]

@dmolesUC3 Is this AUFS specific?
Very similar to #20240

[thaJeztah]

the current behavior seems arbitrary and un-obvious, documented or not.

There are a couple of oversights in the way USER interacts with other commands; the same, e.g., applies to COPY and ADD, which also don't respect USER. Unfortunately, we won't be able to change that behavior without causing backward incompatible issue (the Dockerfile format is not versioned), so I'm not sure we can address this

[dmolesUC]

the Dockerfile format is not versioned

Oops. Configuration flag, maybe? Transition to making it the default over, I don't know, the next three years?

[dmolesUC]

@AkihiroSuda I'm using AUFS (4.1.13-boot2docker on Virtual Box on MacOS) but I couldn't tell you if it's AUFS-specific.

[LK4D4]

It's still a pain point. Flags for instructions were introduced, but we still afraid of using them. Probably just better to be aware :/

[thaJeztah]

We discussed this, and while we see it's inconvenient, the best option is to create the workdir in advance, with the correct user. For that reason, we think we should close this.

[phil294]

@thaJeztah seeing the negative response to this decision, would you mind elaborating on why this was declined?

[thaJeztah]

It would be a breaking change #20295 (comment), also, workdir should (in hindsight) not have automatically created the directory

[TonyTromp]

+1 Add --chown to WORKDIR