New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
when created, workdir is owned by user, not root #43541
base: master
Are you sure you want to change the base?
Conversation
@@ -528,3 +528,45 @@ func TestCreatePlatformSpecificImageNoPlatform(t *testing.T) { | |||
) | |||
assert.NilError(t, err) | |||
} | |||
|
|||
func TestCreateWorkingDirForUser(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this is failing on Windows (maybe it doesn't expect the UID/GID when creating; wondering if this was an existing bug that happened to be working with root
(uid/gid 0:0
therefore ignored? 🤔); just an initial hunch
=== RUN TestCreateWorkingDirForUser
create_test.go:555: assertion failed: error is not nil: Error response from daemon: container bab4875be8b71f227669cd1de1c40034f6bb127d96b860e9468b1a8e0126371e encountered an error during hcs::System::CreateProcess: failure in a Windows system call: The user name or password is incorrect. (0x52e)
--- FAIL: TestCreateWorkingDirForUser (1.60s)
if err != nil { | ||
return err | ||
} | ||
owner := idtools.Identity{UID: int(user.UID), GID: int(user.GID)} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the SetupWorkingDirectory
is ran within the "host's" context; in that case, I'm wondering if this needs to remap the UID/GID to match the container's user in case user-namespaces are enabled.
daemon.idMapping.RootPair()
calls GetRootUIDGID()
, which calls toHost()
to perform the mapping from "container user" to "host user";
Lines 60 to 65 in 0a3336f
func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) { | |
uid, err := toHost(0, uidMap) | |
if err != nil { | |
return -1, -1, err | |
} | |
gid, err := toHost(0, gidMap) |
There is an IdentityMapping.ToHost()
method (but it expects UIDMaps
to be propagated, so we need to make sure that's the case);
Line 133 in 0a3336f
func (i IdentityMapping) ToHost(pair Identity) (Identity, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tested with daemon configured with userns-remap, and indeed need to convert Identity to host IDs
Chatted about this change in the maintainers meeting and everyone was OK with making this change (there was no concern about changing the permissions); we didn't do a code-review (and I mentioned it was currently failing) |
fe9b874
to
f58a8f2
Compare
integration/container/create_test.go
Outdated
@@ -528,3 +528,46 @@ func TestCreatePlatformSpecificImageNoPlatform(t *testing.T) { | |||
) | |||
assert.NilError(t, err) | |||
} | |||
|
|||
func TestCreateWorkingDirForUser(t *testing.T) { | |||
skip.If(t, testEnv.OSType == "windows", "create°windows does not use SetupWorkingDirectory") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LOL.. what's that symbol between create
and windows
(create°windows
)? 😂 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
something weird happened with my IDE...
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
These failures look related; wondering what's causing them (could it be a bug somewhere, where
|
oh, actually; I think those tests only define a user, but the user doesn't exist in the container; I guess previously that didn't cause an issue if no |
(sorry for my rambling) It could have revealed another issue; I see the Dockerfile defines a |
AFAICT the issue is that |
So that part is expected; when specifying a user, it's expected for that user to exist. The thing I'm a bit confused about (and the bit that is a bit unclear, and should be looked into - also to compare what BuildKit does)
FROM busybox
USER 123:456
# this *defines* the WORKDIR (at this point, USER is 123:456
# but... it doesn't _create_ the workdir (?) so only metadata
WORKDIR /foo
USER 456:789
# here the WORKDIR is needed, so will be created with owner 456:789 ?
RUN echo hello For the failing test; the Dockerfile looks like; FROM busybox
ARG WDIR
WORKDIR ${WDIR}
ARG AFILE
ADD ${AFILE} testDir/
ARG CFILE
COPY $CFILE testDir/
ARG foo
ENV foo=${foo}
ARG EPORT
EXPOSE $EPORT
ARG USER
USER $USER What I don't understand is why that passed before; If
The above would mean that there may be different outcomes, depending on the order |
First of all, the "fun" bit in this PR is of course, that the PR was intended to change I chatted about the failures with @tonistiigi in the maintainers meeting, and it was a fun trip down "memory" lane.
However, before this PR, the user that was used to create the This is indeed a tricky one (besides that we are wasting time re-looking up, and re-creating the
|
Any news on this? I'm also facing with this issue |
closes docker/cli#3464
- What I did
If not present on image filesystem, and created on purpose, working directory is owned by container's USER, not root
- How I did it
get user from container.Config and use this
Identity
to setup working directory- How to verify it
docker run -w /foo alpine touch /foo/bar
- Description for the changelog
working directory, if created, is owned by container's USER
- A picture of a cute animal (not mandatory but encouraged)