kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard
verified publisher icon GoogleContainerTools

COPY changes permissions and ownership on directories and files

Open jgkirschbaum opened this issue 3 years ago • 1 comments

Actual behavior Given the following Dockerfile

FROM alpine:latest
COPY files /tmp/
CMD  ["ash"]

with the files directory only containing

./files:
total 4
drwxr-xr-x 2 app adm 22 Apr  6 14:12 .
drwxr-xr-x 3 app adm 37 Apr  6 14:12 ..
-rw-r--r-- 1 app adm  3 Apr  6 14:12 file.txt

results after building the image with kaniko to wrong permissions and ownership on /tmp

./tmp:
drwxr-xr-x    1 1001    1001           22 Apr  6 12:08 .
drwxr-sr-x    1 root    root            6 Apr  6 12:18 ..
-rw-r--r--    1 1001    1001            3 Apr  6 12:08 file.txt

Originally the permissions and ownership on /tmp were

./tmp:
drwxrwxrwt    1 root    root           22 Apr  6 12:08 .
drwxr-sr-x    1 root    root            6 Apr  6 12:18 ..

This makes the image unusable in some circumstances due to the wrong permissions on /tmp. Especially when running the image as an other userid than 1001. Building the image with docker has the expected results with a mode of 1777 and permissions of 0:0 on /tmp.

This is running on a local k8s installation with kaniko-project/executor:v1.8.1 and kaniko-project/executor:v1.9.0. The resulting image is run via a local docker installation.

Expected behavior The resulting image builded with kaniko should have the following permissions and ownership on /tmp

./tmp:
drwxrwxrwt    1 root    root           22 Apr  6 12:08 .
drwxr-sr-x    1 root    root            6 Apr  6 12:18 ..
-rw-r--r--    1 root    root            3 Apr  6 12:08 file.txt

To Reproduce Steps to reproduce the behavior.

  1. Local environment
ls -la
total 240
-rw-r--r-- 1 user group    85 Sep  2 10:50 Dockerfile
drwxr-xr-x 2 user group    26 Apr  6 14:07 files
-rw-r--r-- 1 user group 11553 Sep  2 10:50 kaniko.sh

./files:
total 56
-rw-r--r-- 1 user group 3 May 20 08:16 file.txt
  1. Dockerfile
FROM alpine:latest
COPY files /tmp/
CMD  ["ash"]
  1. kaniko.sh
tar -czf - Dockerfile files |
kubectl run kaniko \
                          --rm \
                          --stdin=true \
                          --image=gcr.io/kaniko-project/executor:1.9.0 \
                          --restart=Never \
                          --overrides='{
  "apiVersion": "v1",
  "spec": {
    "imagePullSecrets": [
      {
        "name": "kanikopull"
      }
    ],
    "containers": [
      {
        "name": "kaniko",
        "image": "gcr.io/kaniko-project/executor:1.9.0",
        "stdin": true,
        "stdinOnce": true,
        "args": [
          "--dockerfile=Dockerfile",
          "--context=tar://stdin",
          "--destination=myregistry.intranet/myrepo/myimage:0.0.1"
        ],
        "volumeMounts": [
          {
            "name": "cabundle",
            "mountPath": "/kaniko/ssl/certs/"
          },
          {
            "name": "docker-config",
            "mountPath": "/kaniko/.docker/"
          }
        ]
      }
    ],
    "volumes": [
      {
        "name": "cabundle",
        "configMap": {
          "name": "kaniko-cabundle"
        }
      },
      {
        "name": "docker-config",
        "configMap": {
          "name": "kaniko-docker-config"
        }
      }
    ]
  }
}'

  1. Execute kaniko.sh [...]

  2. Review image

docker run -it myregistry.intranet/myrepo/myimage:0.0.1 ash
/ # cd tmp
/tmp # ls -la
total 4
drwxr-xr-x    1 1001    1001         22 Sep  8 13:40 .
drwxr-xr-x    1 root    root         18 Sep  8 13:40 ..
-rw-r--r--    1 1001    1001          3 Sep  8 13:40 file.txt

jgkirschbaum avatar Sep 08 '22 13:09 jgkirschbaum

We should add a unit test with your example.

gabyx avatar Sep 15 '22 21:09 gabyx