-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: proposal to raise awareness about an unexpected behavior of COPY --link #4964
Comments
Hi @tonistiigi , I apologize for the interruption, but I wanted to bring to your attention that this proposal seems to have stalled due to the lack of an assignee. Would you be able to refer someone who could provide direction on which solution we should proceed with? Thank you for your time and assistance. |
UPDATE: I've covered this concern with a few other related issues over at: docker/docs#20660 I won't have time to contribute proper docs improvements myself, but if you do tackle that please update the linked issue with your related PR for traceability :)
This You can avoid this problem by using the NOTE: I'm not 100% sure if # syntax=docker.io/docker/dockerfile:1
# `src` has parent dirs with permissions and ownership: `777 100:100`
FROM alpine AS src
WORKDIR /foo/bar/baz
RUN <<HEREDOC
touch a b c
chown -R 100:100 /foo
chmod -R 777 /foo
HEREDOC
# `dest` has parent dirs with permissions and ownership: `770 200:200`
FROM alpine AS dest
RUN <<HEREDOC
mkdir -p /foo/bar/baz
chown -R 200:200 /foo
chmod -R 770 /foo
HEREDOC
# Workaround to prevent modifying ownership and permissions of an existing COPY target path segments:
# NOTE: `--chmod` can use any invalid value to prevent the caveat of `--link` + `docker-container` builder driver.
FROM dest AS link-workaround-fix
COPY --link --chmod=null --from=src /foo/bar/baz /foo/bar/baz
# `eza` is a fancier `ls` command. Used here for better visualizing changes:
RUN apk --no-cache add eza
CMD eza -lanhog --tree --no-time --no-filesize --no-permissions /foo docker buildx build --load --tag bug-copy-link .
docker run --rm -it bug-copy-link You'll get this output from the Whereas without the Related concernsNOTE:
That last one if important to you may be problematic due to sibling content also getting copied over, you could use # syntax=docker/dockerfile:1.7-labs
# ...
# Preserve `baz/` ownership/permissions from src via --parents `./` syntax:
COPY --link --chmod=null --from=src --parents /foo/bar/./baz /foo/bar
# Preserve `bar/baz/` ownership/permissions from src via --exclude filter on src `/foo` dir
# NOTE: There is no negative match pattern like `!` for a substring supported, thus you must explicitly ignore all unwanted dirs
COPY --link --chmod=null --from=src --exclude=/foo/dont-copy-me /foo /foo |
Situation:
Amended the
COPY
instruction with--link
to make better usage of the build cache, and unexpectedly introduced a file permission problem.I copied the directory
/home/nonroot/
of a builder stage to the rootless final stage. And found out that the newly deployed image could not work properly because the ownership of/home/nonroot/
becameroot:root
How to reproduce:
Discussion:
Please note that the ownership of
/home/nonroot/
is#8 0.065 drwx------ 1 nonroot nonroot 8 May 29 15:01 ./
while the ownership of
/emptydir/home/nonroot/
in the final stage is#11 0.065 drwxr-xr-x 1 root root 8 May 29 15:01 ./
Since the
COPY --link
basically works likeI guess it makes sense for the unexpected ownership change of
/home/nonroot/
I am not proposing to change the quirk of
COPY --link
, instead I think it is important for people to notice such a discrepancy of behavior among the instructionsCOPY
© --link
.Solution:
COPY --link
, with the limitation of only numeric UID/GID could work (COPY --link
not compatible withchown
#2987 ). This idea may not be preferred if the UID/GID of the previous stage is prone to changes.I am willing to contribute to the docs should this proposal be accepted.
Before that, I would like to know if changes to the code or other actions are preferred.
The text was updated successfully, but these errors were encountered: