build/Dockerfile: Don't create files as root when building with docker

Turns out that podman is not 1:1 compatible with docker, but in this case it's a good thing, because docker's behaviour is just plain dangerous - even if a container is running as a non-privileged user by default (like, the UBI image runs as the user "default"), they'd still make the files copied with the COPY directive owned by root. Because honoring the permissions would be a breaking change, docker instead introduced a --chown parameter to COPY: moby/moby#13020 https://stackoverflow.com/questions/44766665/how-do-i-docker-copy-as-non-root which podman luckily supports as well. Without this patch, creating the "_output" directory during the build would have failed with a Permission denied.
jhrozek · Aug 17, 2020 · b487c17 · b487c17
1 parent 95d5246
commit b487c17
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -5,7 +5,7 @@ WORKDIR /go/src/github.com/openshift/compliance-operator
 
 ENV GOFLAGS=-mod=vendor
 
-COPY . .
+COPY --chown=default:root . .
 RUN make manager
 
 # Step two: containerize compliance-operator