Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v23 regression] COPY --link breaks file caps (Apparently fixed in the master branch) #45128

Closed
AkihiroSuda opened this issue Mar 9, 2023 · 1 comment · Fixed by #45112
Closed

[v23 regression] COPY --link breaks file caps (Apparently fixed in the master branch) #45128

AkihiroSuda opened this issue Mar 9, 2023 · 1 comment · Fixed by #45112
Labels
area/builder/buildkit Issues affecting buildkit kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. kind/regression status/0-triage version/23.0

Comments

@AkihiroSuda
Copy link
Member

Description

COPY --link --from=0 / /usr/bin/ breaks the file capability of /usr/bin/newuidmap.

A regression in v23.

Apparently fixed in the master branch.
(Just tested ad9d70b)

Reproduce

# syntax = docker/dockerfile:1.5.2

# This Dockerfile mimics the Dockerfile for moby/buildkit:v0.11.4-rootless
# https://github.com/moby/buildkit/blob/v0.11.4/Dockerfile#L263-L281

FROM scratch
ADD Dockerfile /dummy

FROM alpine:3.17
RUN apk add shadow-uidmap libcap-utils
COPY --link --from=0 / /usr/bin/
CMD ["getcap", "/usr/bin/newuidmap"]

# Test: `export DOCKER_BUILDKIT=1; docker build -t foo . && docker run --rm foo`
# Good result: "/usr/bin/newuidmap cap_setuid=ep" (v20.10.23, master@ad9d70b0e6833b746eecccc08a17459ba8bb31c4)
# Bad result:  "" (v23.0.1)

Expected behavior

v23 should show /usr/bin/newuidmap cap_setuid=ep

docker version

Client: Docker Engine - Community
 Version:           23.0.1
 API version:       1.42
 Go version:        go1.19.5
 Git commit:        a5ee5b1
 Built:             Thu Feb  9 19:47:01 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          23.0.1
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.5
  Git commit:       bc3805a
  Built:            Thu Feb  9 19:47:01 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.18
  GitCommit:        2456e983eb9e37e47538f59ea18f2043c9a73640
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.16.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
  scan: Docker Scan (Docker Inc.)
    Version:  v0.23.0
    Path:     /usr/libexec/docker/cli-plugins/docker-scan

Server:
 Containers: 2
  Running: 2
  Paused: 0
  Stopped: 0
 Images: 6
 Server Version: 23.0.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2456e983eb9e37e47538f59ea18f2043c9a73640
 runc version: v1.1.4-0-g5fd4c4d
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.0-60-generic
 Operating System: Ubuntu 22.04.1 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 3.826GiB
 Name: lima-docker-rootful
 ID: 2e80009b-39d0-4ee8-b863-6b451b41ee1e
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response
@AkihiroSuda AkihiroSuda added status/0-triage kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. area/builder/buildkit Issues affecting buildkit version/23.0 kind/regression labels Mar 9, 2023
@AkihiroSuda
Copy link
Member Author

The master branch seems fixed in 324290a which pulls in moby/buildkit@97b37f9 which is a cherry-pick of moby/buildkit@0a36f1a (moby/buildkit#3671) into BuildKit v0.11.4

@AkihiroSuda AkihiroSuda linked a pull request Mar 9, 2023 that will close this issue
[23.0 backport] builder-next: temporarily disable mergeop and diffop #45112
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/builder/buildkit Issues affecting buildkit kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. kind/regression status/0-triage version/23.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[23.0 backport] builder-next: temporarily disable mergeop and diffop tonistiigi/docker
1 participant
@AkihiroSuda