ADD command does not seem to honor --chown parameter

[a-tunc]

Description

I am working on a docker file to create a flutter development environment and learn docker containers. In the process, I stumbled across an incident where docker does not seem to do what it is supposed to, according to manuals.

I am trying to add android-studio.tar tarball into the image and I expect the owner of the target directory to be the one I used in the ADD command's --chown parameter. However it still looks like root.

Reproduce

1. Here is my rather simple docker file:

FROM eclipse-temurin:17-noble
SHELL ["/bin/bash", "-c"]

#create a non-root user and use it
RUN useradd --base-dir /home --create-home --shell /bin/bash flutter_dev


# surpress "debconf: unable to initialize frontend: Dialog" error messages
ENV DEBIAN_FRONTEND=noninteractive


USER flutter_dev
# ADD --chown=1001:1001 --chmod=766 android-studio-2024.2.2.15-linux.tar.gz /tmp
ADD --chown=flutter_dev:flutter_dev --chmod=766 android-studio-2024.2.2.15-linux.tar.gz /tmp

PS: I tried both UID:GUID and username:groupsname formats. Outcome is still the same.

2. Build the image with:

docker build --no-cache --progress=plain  --tag 'test' . &> build.log

3. spin the container:

docker run -it test bash

4. perform a bash command:

ls -lah /tmp

5.result

Expected behavior

I expect android-studio folder to be owned by flutter_dev:flutter_dev as defined in Docker manual:

All files and directories copied from the build context are created with a UID and GID of 0 unless the optional --chown flag specifies a given username, groupname, or UID/GID combination to request specific ownership of the copied content. The format of the --chown flag allows for either username and groupname strings or direct integer UID and GID in any combination. Providing a username without groupname or a UID without GID will use the same numeric UID as the GID. If a username or groupname is provided, the container's root filesystem /etc/passwd and /etc/group files will be used to perform the translation from name to integer UID or GID respectively

docker version

Client:
 Version:           28.0.0
 API version:       1.48
 Go version:        go1.24.0
 Git commit:        f9ced58158
 Built:             Mon Feb 24 21:55:48 2025
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          28.0.0
  API version:      1.48 (minimum version 1.24)
  Go version:       go1.24.0
  Git commit:       af898abe44
  Built:            Mon Feb 24 21:55:48 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v2.0.3
  GitCommit:        06b99ca80cdbfbc6cc8bd567021738c9af2b36ce.m
 runc:
  Version:          1.2.5
  GitCommit:        
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    28.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  0.21.1
    Path:     /usr/lib/docker/cli-plugins/docker-buildx

Server:
 Containers: 2
  Running: 1
  Paused: 0
  Stopped: 1
 Images: 1
 Server Version: 28.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: true
  Native Overlay Diff: false
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 06b99ca80cdbfbc6cc8bd567021738c9af2b36ce.m
 runc version: 
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.6.80-1-MANJARO
 Operating System: Manjaro Linux
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.35GiB
 Name: XXX-XXX
 ID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

Host environment:

CPU: quad core 11th Gen Intel Core i5-1135G7 (-MT MCP-)
speed/min/max: 400/400/4200 MHz Kernel: 6.6.80-1-MANJARO x86_64 Up: 1h 35m
Mem: 3.03/15.35 GiB (19.7%) Storage: 476.94 GiB (36.0% used) Procs: 263
Shell: Zsh inxi: 3.3.37

LSB Version: n/a
Distributor ID: ManjaroLinux
Description: Manjaro Linux
Release: 25.0.0
Codename: Zetar

Currently running:6.6.80-1-MANJARO (linux66)
The following kernels are installed in your system:

• linux66

[thaJeztah]

Moved this ticket to the buildx issue tracker, but I think this is currently expected for archives, as for those, the permissions are expected to be used from what's defined in the archive itself.

This is likely a duplicate of these two tickets (maybe more) related to this in the BuildKit project;

• ADD archive file with the --chown flag not change the ownership of the generated files moby/buildkit#1547
• [proposal] Emit warning if ADD --chown flag is used with archive file moby/buildkit#3700