setfacl not persisted during Docker build

[melkamar]

Description
I am building an image based on ubuntu and as a part of the build process I am setting up access rules via setfacl. However, when I run a container based on the resulting image, everything reported by getfacl is just the default - as if I never ran setfacl before.

The command itself works, because setfacl && getfacl on the same file does actually show the ACL changes.

This pseudo-Dockerfile illustrates this case:

FROM image-based-on-ubuntu
RUN mkdir -p /var/foo/hello && getfacl /var/foo && setfacl -R -m u:www-data:rwX -m g:deploy:rwX /var/foo && getfacl /var/foo
RUN getfacl /var/foo

The build output corresponding to that Dockerfile is:

Step 2/3 : RUN mkdir -p /var/foo/hello && getfacl /var/foo && setfacl -R -m u:www-data:rwX -m g:deploy:rwX /var/foo && getfacl /var/foo
 ---> Running in 58dbe9957ecf
getfacl: Removing leading '/' from absolute path names
# file: var/foo
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

getfacl: Removing leading '/' from absolute path names
# file: var/foo
# owner: root
# group: root
user::rwx
user:www-data:rwx
group::r-x
group:deploy:rwx
mask::rwx
other::r-x

Removing intermediate container 58dbe9957ecf
 ---> 1b04ca017d62
Step 3/3 : RUN getfacl /var/foo
 ---> Running in 3258d20a6dba
getfacl: Removing leading '/' from absolute path names
# file: var/foo
# owner: root
# group: root
user::rwx
group::rwx
other::r-x

As you can see, as long as the getfacl command is executed inside the same RUN statement as setfacl, it works as expected.

Describe the results you received:
setfacl is not persisted outside of a RUN Dockerfile statement

Describe the results you expected:
setfacl should be persisted. If not possible, this should be explicitly stated in a documentation or the command should fail altogether.

Additional information you deem important (e.g. issue happens only occasionally):
I found two StackOverflow questions (here and here), but there is no authoritative answer there, just speculation.

I could not find anything else relating to this anywhere else.

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.5
 API version:       1.40
 Go version:        go1.12.12
 Git commit:        633a0ea
 Built:             Wed Nov 13 07:22:34 2019
 OS/Arch:           darwin/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.5
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.12
  Git commit:       633a0ea
  Built:            Wed Nov 13 07:29:19 2019
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          v1.2.10
  GitCommit:        b34a5c8af56e510852c35414db4c1f4fa6172339
 runc:
  Version:          1.0.0-rc8+dev
  GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 46
  Running: 5
  Paused: 0
  Stopped: 41
 Images: 1021
 Server Version: 19.03.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
 runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.19.76-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 6
 Total Memory: 3.846GiB
 Name: docker-desktop
 ID: HN2B:C6IB:DAEM:JS7F:S2VA:2IWV:DB7Y:FGXK:QKJN:E6AM:IYVN:SGXZ
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 75
  Goroutines: 90
  System Time: 2020-02-21T13:43:39.1623499Z
  EventsListeners: 3
 HTTP Proxy: gateway.docker.internal:3128
 HTTPS Proxy: gateway.docker.internal:3129
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

Additional environment details (AWS, VirtualBox, physical, etc.):
MacOS Mojave

[pya]

I can reproduce your problem. I do have a (kind of dirty) workaround. Because setfacl works once the container runs, just do it at run time. While Docker is designed for one command, you can package multiple command into a helper script.

For example, create wrapper.sh:

setfacl -R -m u:www-data:rwX -m g:deploy:rwX /var/foo
mycommand

and run it during build in your Dockerfile:

 COPY wrapper.sh /mydir/wrapper.sh
 CMD ["/mydir/wrapper.sh"]

Does this work fo you?

[melkamar]

Yes, this workaround is applicable to my situation, thank you!

I wonder if there is a good place to add this information to, or if this issue is enough for potential future people running into the same problem.

[pya]

Unfortunately I have no idea. Ask and answer a Stackoverflow question?

[pya]

Actually, there some information about in the Docker documentation:
https://docs.docker.com/config/containers/multi-service_container/