New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security warning appearing when building a Docker image from Windows against a non-Windows Docker host #20397

Closed
tomasmelin opened this Issue Feb 17, 2016 · 9 comments

Comments

Projects
None yet
5 participants
@tomasmelin

tomasmelin commented Feb 17, 2016

I am experimenting with building my own Docker image with the purpose of later building Jenkins and SonarQube dockers.

When I attempt to create a simple Dockerfile to experiment and install emacs to easily be able to edit files in bash I get the following output:


Setting up colord (1.0.6-1) ...
Setting up gconf-service (3.2.6-0ubuntu2) ...
Setting up emacs24 (24.3+1-2ubuntu1) ...
update-alternatives: using /usr/bin/emacs24-x to provide /usr/bin/emacs (emacs) in auto mode
Install emacsen-common for emacs24
emacsen-common: Handling install of emacsen flavor emacs24
Wrote /etc/emacs24/site-start.d/00debian-vars.elc
Wrote /usr/share/emacs24/site-lisp/debian-startup.elc
Setting up emacs (45.0ubuntu1) ...
Setting up gconf-service-backend (3.2.6-0ubuntu2) ...
Processing triggers for libc-bin (2.19-0ubuntu6.6) ...
Processing triggers for sgml-base (1.26+nmu4ubuntu1) ...
Processing triggers for libgdk-pixbuf2.0-0:amd64 (2.30.7-0ubuntu1.2) ...
---> 91050783b5ea
Removing intermediate container 38a6c797bbdb
Step 4 : CMD /usr/games/fortune -a | cowsay
---> Running in 1dd25d8bcf95
---> a874940ac99e
Removing intermediate container 1dd25d8bcf95
Successfully built a874940ac99e
SECURITY WARNING: You are building a Docker image from Windows against a non-Windows Docker host. All files and directories added to build context will have '-rwxr-xr-x' permissions. It is recommended to double check and reset permissions for sensitive files and directories.

This is what my dockerfile contains:

FROM docker/whalesay:latest

RUN apt-get -y update && apt-get install -y fortunes
RUN apt-get update && apt-get install -y emacs

CMD /usr/games/fortune -a | cowsay

What does this Security warning mean exactly and how can I avoid it?

More info, when I use the docker info command I get the following data:

$ docker info
Containers: 4
Running: 1
Paused: 0
Stopped: 3
Images: 6
Server Version: 1.10.1
Storage Driver: aufs
Root Dir: /mnt/sda1/var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 55
Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Plugins:
Volume: local
Network: bridge null host
Kernel Version: 4.1.17-boot2docker
Operating System: Boot2Docker 1.10.1 (TCL 6.4.1); master : b03e158 - Thu Feb 11 22:34:01 UTC 201
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.956 GiB
Name: default
ID: NKSE:6GZL:N7AE:47Q5:HBAF:CERC:MHWZ:HWEC:QSVI:FTK5:P2E2:HRM3
Debug mode (server): true
File Descriptors: 27
Goroutines: 44
System Time: 2016-02-17T13:57:00.11534859Z
EventsListeners: 1
Init SHA1:
Init Path: /usr/local/bin/docker
Docker Root Dir: /mnt/sda1/var/lib/docker
Labels:
provider=virtualbox

@cpuguy83

This comment has been minimized.

Contributor

cpuguy83 commented Feb 17, 2016

IIRC, this really has to do with COPY and ADD from files local to the Windows system.

Closing since this is not really an issue, but feel free to discuss here.

@cpuguy83 cpuguy83 closed this Feb 17, 2016

@thaJeztah

This comment has been minimized.

Member

thaJeztah commented Feb 18, 2016

That warning was added, because the Windows filesystem does not have an option to mark a file as 'executable'. Building a linux image from a Windows machine would therefore break the image if a file has to be marked executable.

For that reason, files are marked executable by default when building from a windows client; the warning is there so that you are notified of that, and (if needed), modify the Dockerfile to change/remove the executable bit afterwards.

@tomasmelin

This comment has been minimized.

tomasmelin commented Feb 18, 2016

Thank you @thaJeztah for your explanatory response.

@MartinJohns

This comment has been minimized.

MartinJohns commented Sep 6, 2016

Is there a way to prevent this warning? Some kind of switch?

@thaJeztah

This comment has been minimized.

Member

thaJeztah commented Sep 13, 2016

Is there a way to prevent this warning? Some kind of switch?

no, there's currently no switch to turn off that warning

@RobSeder

This comment has been minimized.

RobSeder commented May 24, 2017

There definitely NEEDS to be a switch. This helpful, and un-addressable message breaks the build when using automated build systems. If they see anything written to stderr or get a non-zero return code, that breaks the build.

If you give an error message either: A) give me a way to correct it or B) give me a way to suppress it. This needs to be fixed, this is a showstopper for those using Jenkins, TeamCity, Octopus, etc for builds.

Please re-open and address this.

@thaJeztah

This comment has been minimized.

Member

thaJeztah commented May 24, 2017

@RobSeder this message is now printed on stdout instead of stderr, starting with docker 17.04; see #29209, #29857, and #29856

@RobSeder

This comment has been minimized.

RobSeder commented Jun 2, 2017

@thaJeztah Agreed - this is resolved in 17.04. thanks!

@thaJeztah

This comment has been minimized.

Member

thaJeztah commented Jun 2, 2017

Thanks for checking @RobSeder 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment