-
Notifications
You must be signed in to change notification settings - Fork 18.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Add --chmod flag to ADD/COPY commands (analogous to --chown) #34819
Comments
I got tons of Dockerfiles |
I'm personally ok with this; especially for the Windows case, I agree this makes a good addition. I'll bring this up in a maintainers meeting to get other opinions, but if a contributor wants to work on this, I think this would get accepted. |
w.r.t. Windows we can adopt Cygwin-like model:
-OR- there can be Windows-specific syntax, e.g., we can specify security descriptor with SDDL |
This would indeed be a nice feature. A use case other than for Windows is when one wants to build a image that can be run as arbitrary non-root user via the |
@thaJeztah |
I'm facing an issue with permissions; I'm Tried to build the image with a multi-stage Dockerfile, it |
@ulm0 Not 100%, but that sounds familiar, and I think it could have been that the binary is not staticly compiled. And since you're running Here is a worked example from my own repo for doing it with golang: https://github.com/0xdevalias/docker-gobuster/blob/master/Dockerfile#L6 |
@0xdevalias the binary is built using musl, Copying the binary from a local folder works, but using FROM alpine:edge
RUN wget --quiet https://binaries.cockroachdb.com/cockroach-v1.1.6.linux-musl-amd64.tgz -O /tmp/cockroach.tgz && \
tar xvzf /tmp/cockroach.tgz --strip 1
FROM scratch
ENV COCKROACH_CHANNEL=official-docker
COPY ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=0 /cockroach /cockroach/cockroach
# This causes the binary within the tgz file to end up with 400 permissions in the /cockroach/ folder
# It throws a permission denied error when attempting to run
# ADD https://binaries.cockroachdb.com/cockroach-v1.1.6.linux-musl-amd64.tgz /cockroach/cockroach
WORKDIR /cockroach/
EXPOSE 26257 8080
ENTRYPOINT ["/cockroach/cockroach"] |
Any update on this topic ? |
This being postponed pending moby/buildkit#396. Basically there's major rewrite of the build engine going on. So the current engine is on feature freeze. |
The usefulness of alpha syntax usually comes from the capital This is because a recursive COPY with A recursive COPY with Personally, I think both syntaxes are cumbersome. I'd rather have a For example, This would probably be easier to adapt to Windows permissions, because it's a simpler specification. |
@thaJeztah Was this missing from the release notes for version |
I wrote an issue to support non-octal notation: moby/buildkit#1951 |
Alraedy Implemented in 20.10 (moby/buildkit#1492), but requires |
Is this documented with more clarity somewhere? When and where do I put that? @Kreyren having your IDE recognize the syntax is an entirely separate issue, and the error output in your screenshot does not indicate an issue with |
Ye i have no idea how to implement that in vscodium atm, but the noticed the different issue after i sent the comment, the issue was resolved but i was still unable to use |
The next release of the Docker extension will include this fix. See microsoft/vscode-docker#2624. |
@tobia Can you specify the full command for this. Right now I am using 'COPY --chmod=u=rwX,go=rX ./my_dir . ' but this is not working. Do I need to add specific flag for copying recursively? |
Where is the documentation of this feature? I have looked into the Dockerfile reference and it's not there. I also can't find some place that documents the new features added by Buildkit. https://docs.docker.com/develop/develop-images/build_enhancements/ has no mention of chmod. |
@tonistiigi @AkihiroSuda @duglin @thaJeztah this is not documented anywhere in https://docs.docker.com/engine/reference/builder/ which is not great. Is there a chance you have some technical writer to update the docs? |
I'm not their official technical writer but I've made a PR since their docs are all opensourced: |
I supposed that docker version 20.10.0 will be the first to support ADD/COPY with --chown --chmod. the release note did NOT mention that. |
@slankka It's a Dockerfile "front-end" (parser) change, so it even works on 19.03 with BuildKit enabled, as long as your Dockerfile start with the (recommended)
Using the following Dockerfile; # syntax=docker/dockerfile:1
FROM alpine
COPY --chown=123:456 file.txt .
RUN ls -ln file.txt On Docker 19.03; Client: Docker Engine - Community
Version: 19.03.15
API version: 1.40
Go version: go1.13.15
Git commit: 99e3ed8
Built: Sat Jan 30 03:14:33 2021
OS/Arch: linux/arm64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.15
API version: 1.40 (minimum version 1.12)
Go version: go1.13.15
Git commit: 99e3ed8
Built: Sat Jan 30 03:20:21 2021
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: v1.3.9
GitCommit: ea765aba0d05254012b0b9e595e995c09186427f
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683 DOCKER_BUILDKIT=1 docker build --progress=plain .
#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.0s
#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 132B done
#2 DONE 0.0s
#3 resolve image config for docker.io/docker/dockerfile:1
#3 DONE 0.8s
#4 docker-image://docker.io/docker/dockerfile:1@sha256:ac85f380a63b13dfcefa...
#4 CACHED
#5 [internal] load build definition from Dockerfile
#5 transferring dockerfile: 132B done
#5 DONE 0.0s
#6 [internal] load metadata for docker.io/library/alpine:latest
#6 DONE 0.4s
#7 [internal] load .dockerignore
#7 DONE 0.0s
#8 [1/3] FROM docker.io/library/alpine:latest@sha256:c5b1261d6d3e4307162693...
#8 DONE 0.0s
#9 [internal] load build context
#9 transferring context: 29B done
#9 DONE 0.0s
#10 [2/3] COPY --chown=123:456 file.txt .
#10 CACHED
#11 [3/3] RUN ls -ln file.txt
#11 0.111 -rw-r--r-- 1 123 456 6 Mar 8 08:22 file.txt
#11 DONE 0.1s
#12 exporting to image
#12 exporting layers done
#12 writing image sha256:efe4caba1ac46355a3dae5120e0b0d0297544a2384801bb7a25205ae0e67517b done
#12 DONE 0.0s If you'd be running the build on a version of docker / BuildKit that doesn't support it, it will still use the latest version of the Dockerfile front-end (which may contain bug fixes), but when using a feature that cannot be supported, it will show an error indicating that the version of BuildKit that's used is too old. For example on docker 18.09; DOCKER_BUILDKIT=1 docker build --progress=plain .
#2 [internal] load build definition from Dockerfile
#2 digest: sha256:030a9e782cf78b3da87d5bc590cef50396ed87f1881b903d30f8ecaa22a1dc23
#2 name: "[internal] load build definition from Dockerfile"
#2 started: 2024-03-08 08:31:35.944838385 +0000 UTC
#2 completed: 2024-03-08 08:31:35.955701968 +0000 UTC
#2 duration: 10.863583ms
#2 transferring dockerfile: 132B done
....
....
rpc error: code = Unknown desc = needs BuildKit 0.5 or later: requested prerelease feature file.base is not supported by build server, please update However, note that Docker 20.10 reached EOL, so I would not recommend running it. |
The capital X is the reason I would like symbolic permissions to be supported. Aslo the |
@Clovel its better to open a ticket / feature request in the BuildKit repository, as that's where the Dockerfile syntax and features are maintained; https://github.com/moby/buildkit |
I already have, over at moby/buildkit#1951. I was just commenting in case someone would stumble accross this thread ! |
Description
I've bumped into #34263 being merged and it hit me that
--chmod
would be nice in conjunction with this feature.I frequently build Linux images from a Windows machine and I'm kind of annoyed with the 755 mode the added/copied files end up with.
ADD/COPY with
--chown
and--chmod
together will be a readable and maintainable notation delivering precise control over permissions.I'm aware of moby/buildkit#4242, but I don't think this issue is a duplicate (that one seems to be stale).
The text was updated successfully, but these errors were encountered: