New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Make USER change the uid and gid of COPY'd files #7537
Comments
+1; this would make it significantly easier to use USER effectively |
+1 For making it more consistent and align better with user expectations. Sad that |
I am OK with this. In general I would like everyone's opinion on how to deal with a situation like this, where we have to choose between 1) full reverse compatibility, and 2) a significant improvement to the user experience. In this case we got "lucky" and can make an acceptable compromise thanks to the timing of the introduction of |
cough by adding versioning to the Dockerfile format? cough 😺 |
@thaJeztah are you volunteering to prepare a proposal? |
@shykes see the link (#4907) but I wrote it quite a while ago and may need to update it a bit as I'm sure it contains some non-sense as well :) Additionally, as it contains some strategic/policy stuff (enforce / don't enforce versioning?) Will require input from the Docker core members as well. I won't be able to assist in implementing it though. Coding in Docker would be really out of my league at this moment (I do track the issues and try to 'follow' changes, purely out of interest). Having said that, I'm always open to help thinking :) |
The proposal has been modified to deal with some edge cases (non-existent users) so that it is more consistent with the way |
I'm still +1 - anything less would be inconsistent with how USER works in practice. 😄 |
+1. I proposed an extension to ADD at #6119, and this solution is almost as good. However, I recommend that COPY follow RUN, and accept either a simple string or an array of arguments: file, user, group, and permissions mask. |
@pikeas Your proposal (at least, how I understand it) is not similar to the the But personally, I don't really like that particular idea because it now means that there is even more inconsistencies in the interface (you can choose what user you can But feel free to open a proposal and ask on the IRC, I might be incorrect in my assertions. |
Just adding my +1 as well. Came upon this thread while searching for a way to change the owner (and in my case permissions) on a large collection of legacy files. My problem with changing the permission / mode in a separate run command is that I double the size of the image since it appeared one layer contained the initial files, then the next layer contained copies of all the files with the permissions changed. Something like this would allow me to work around since the files are added with rw permission on the group of the user. |
+1 |
👍 |
👍 |
@crosbymichael has closed the implementation PR, because apparently some functionality is "in the works" that would allow for (among other things) this functionality. |
@cyphar is there a issue id we can refer to/track progress? |
@sarath I am not sure, it was discussed on #docker-maintainers quite recently. If worse comes to worse and you need this functionality, you can use my patches (#9046) to patch your own version of Docker. N.B This is universally considered as a bad idea, because it will require you to update my patches with upstream changes. EDIT: I missed @thaJeztah's proposal (#9934). |
@cyphar Oops sorry for that, I should probably have put pinged you there. @unclejack as well because he was assigned to carry it. 😄 |
Ensuring all files under /usr/share/elasticsearch have GID=0 **and** the same group permissions as those of the user is tricky. `-R` options of `chmod`/`chgrp` increase the image size with a large layer and introduce slowness in the build process. `tar` doesn't give us any option to force `gid` while extracting and of course we'd still need to match the group permissions. One solution is to prepare the needed files using multi-stage builds[1] in a separate stage. Unfortunately `COPY` will always use 0:0[2] overriding `USER`, so even if prepare the files at another stage, we'll still need to mangle ownership+perms or COPY and then extract an archive, which again increases image size. docker-ce 17.09 introduced the `--chown`[3] parameter, which solves this problem. Move code to extract elasticsearch, adjust ownership + group permissions, install x-pack and plugins to a stage `prep_es_files`. This allows have a very clean stage to build the final elasticsearch image, with a clean history and reasonable size. IMPORTANT: With this commit, the minimum docker-ce version on the building machine needs to be `17.09`. [1] https://docs.docker.com/engine/userguide/eng-image/multistage-build/ [2] moby/moby#7537 (comment) [3] moby/moby#34263
The current
USER
directive changes the user which everyRUN
directive executes under. However, file copying instructions such asADD
andCOPY
are always copied with the owner beingroot:root
. This was originally added in 026aebd, in order to fix #2684 and #3950. However, this results in an inconsistency in theDockerfile
interface, sinceUSER
can modify some directives, but not all of them.I propose that the
COPY
directive should change the owner of any copied file to be the uid of the current user (as set by theUSER
directive and found by parsing/etc/shadow
in the container -- or failing that, just setting it to nobody [65534
]) and the gid should be the primary gid of the current user (as found by parsing the/etc/shadow
file in the container -- or failing that, just setting it tonobody
[65534
]).NOTE: After discussing this proposal on the IRC, it was decided that
ADD
should not be modified along the lines of this proposal (since it must be supported and backward compatible until it is deprecated and removed). To this end, I am only proposing thatCOPY
should be modified, due to it's relative newness and since there is nowhere near as many backward compatibility concerns as withADD
.EDIT: I propose a modification to the above proposal, such that:
b.Config.User
is set to an empty string, then the same method as used inlibcontainer
is applied --syscall.Getuid()
andsyscall.Getgid()
are used instead.b.Config.User
does not exist in/etc/passwd
, then the builder emits an error.Does anyone have any objections with the above modification to the proposal?
To assist in the tracking of patchsets and pull requests which are required to implement this proposal:
libcontainer/user
. docker-archive/libcontainer#158:libcontainer
patchset to expose internal functions for parsing and filtering/etc/{passwd,group}
files (allowing arbitraryio.Readers
and thus container/etc/{passwd,group}
files to be parsed).libcontainer
and update to use newuser
interface. #9023:docker
patch to use the abovelibcontainer
patch./ping @shykes and others.
The text was updated successfully, but these errors were encountered: