New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Implement --user flag for COPY and ADD #13600
Conversation
|
||
> **Note**: | ||
> The specified user or uid must *exist* inside the container before running | ||
> the `COPY` command. Docker does not automatically create the user. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, a uid
(numeric) doesn't have to exist.
(not sure what happens when an unknown username
is used)
Thanks @kostickm! I'm interested to hear from @jhowardmsft and @ahmetalpbalkan what their thoughts are on this for future implementation on Windows |
I would prefer separate -user= and -group=. Of course, none of this will be supported by Windows initially :) |
@jhowardmsft thanks for looking, I understand it won't be in (yet) but trying to avoid having to change in a later stage if it gets implemented |
For the builder-side changes, you can take inspiration from my original patchset to this end: #9046. |
@thaJeztah @jhowardmsft @cyphar Thank you all for your feedback, suggestions, and tips so far! I think the --group= flag would be good to include as well. I'll update the current commit to include that change in the documentation, and see how it looks. |
Signed-off-by: Megan Kostick <mkostick@us.ibm.com>
8ff7d63
to
08d91a4
Compare
Updated to include the |
Design LGTM. Do you mind if we close this PR while you work on the implementation? However, please note that we will soon be starting an effort to pull out the builder client-side, and that we will prioritize it over this PR (which may in turn have to be rebased and submitted against another repo). Does it work for you? Thanks! |
Apologies upfront for going off-topic here. I'm a bit -1 on closing proposals that are basically "accepted"; they're easily forgotten, harder to find, and might give the wrong impression (is this still coming?). Can we come up with some clear status labels for these (e.g. "on hold"), possibly adding that to the title as well, and a message in the top description explaining why? |
I'm sure I'm going against the grain here, but since Dockerfiles directive are sequentials, I think the default should be to use the current user instead of roots. My view and again, I might be wrong, is that it should honor the last USER instruction by default. Providing a --root would then copy everything with UID=0. Of course, this bring backward incompatibility to anything that was copied and assumed to be UID 0. However, the flag is obvious and setting it doesn't have any other side-effect than retrieving the previous behavior. I also think that in the long run, it would be more beneficial to specify root compared to always settting the user (Imagine a complex Dockerfile with more than 1 user...) |
I like @thaJeztah 's idea of having some sort of "on hold" flag or title change. If it is best to wait for the build client-side code to be pulled out first before proceeding, I'd like to keep this open, but in a "on hold" state just so folks know it's still in the works. @icecrime what do you think? |
I might be a bit late to the party, but I missed the discussion in #7537 and #9934 and would like to voice my concerns. Every new release of Docker we end up with more and more instructions/commands or even worse flags (especially This topic, the way the The main argument I've seen against properly fixing these issues is backwards compatibility. A somewhat strange term to use for software of which every person who seriously uses it knows damn well that it's all very new and that it will (and should!) change in the future. We're barely 2 years past the initial public release and we're already limiting ourself to our past mistakes and working around those in all kinds of silly ways. I'd like to ask all of you to please reconsider this. There is an experimental build now which can be used to identify all breaking changes when used in a users current setup and there are ways to feedback to users that certain functionality will change in the future. Anyway, that's just my 2c, not trying to be an ass, just want Docker to be the best it can be. |
Thanks for raising your concerns, @simonvanderveldt the fact you're writing this up shows your not an ass 🐴. Making backwards incompatible changes to the Dockerfile behavior is a big concern though, because this could (for example) break automated builds on Docker Hub, and there is no versioning in the Dockerfile format (#4907) to prevent this. Although I disagree that adding per-instruction flags are bad (they can offer more fine grained control), I agree that in this particular case, it's a trade-off You might want to watch #14298, which describes moving the builder out of the daemon and making it client side, which would allow for much more flexibility. There's now also a roadmap (https://github.com/docker/docker/blob/master/ROADMAP.md), which may still be incomplete, but hopefully makes future plans a bit more clear. |
@thaJeztah no, not all maintainers agree :) |
@LK4D4 apologies, I'll edit 👍 |
And some non-maintainers don't agree too. :) |
@jfrazelle is there any plan anyway to address user switch and permissions? So far, without changing the syntax, and the following:
I know about two scenarios if the CMD writes into
Do you think of any other alternatives? Or near future possibilities? The |
yes as the linnk says when the builder is seperated out the maintainers of On Wed, Jul 8, 2015 at 3:16 AM, Thomas Parisot notifications@github.com
|
Cool, great news @jfrazelle :-) |
Any updates on this? |
This is such a pain. Actively trying to avoid using chown in its own RUN statement as it will double the virtual size of the image depending on the files contained within. |
New command |
This is still painful. |
We discussed this in the maintainers meeting, and we're ok with reopening this PR, to start the discussion again |
ping @kostickm are you still available to work on this? |
Not currently. @duglin is working on finding someone to take it over. |
Thanks @kostickm! |
@thaJeztah I think we might be able to find someone to work on it, but what's the position of the maintainers during the call today w.r.t. what the UX should look like? You know how I feel :-) |
I brought this topic up again and asked if we wanted to change the default (i.e. I'd keep the
|
Yea I didn't want to include As for COPY/ADD inheriting USER if it was right before it, that's just scary to me - and more magic than we should consider. |
I can pick this up. |
Do you think it's worthwhile to make sure this new |
@tianon yea, I think we should be consistent with |
There was some discussion recently (i.e. why use a |
Closing this PR as it's now being worked on in #27303 |
Proposal: Implement --user and --group flag for COPY and ADD
This is a docs-first proposal for the implementation portion of the proposal approved in #9934.
Background
Numerous Issues have stressed the problem of allowing
USER
to be set, but then files added viaCOPY
orADD
by default are set to a UID and GID of 0, often causing unexpected problems. A framework was implemented via PR #10775 to allow user options/flags to be added to Dockerfile commands. This proposal aims to add two flags for theCOPY
andADD
commands to allow the user to specify the ownership of the files/directories copied/added using those commands. Additional discussion and approval was handled via proposal #9934.Primary goals
--user=<uid_or_username>
and--group=<gid_or_groupname>
flags forCOPY
andADD
, leveraging theframework implemented in PR Add support for Dockerfile CMD options #10775.
files copied/added using the
COPY
andADD
commands.default behavior if not specified)
Proposed change
Add configuration flags to
COPY
andADD
:All files and directories copied to the container will be owned by the
specified <uid_or_username> and/or <gid_or_groupname>. Use of the
--user
and--group
flags will only affect the currentCOPY
orADD
command.The configuration is optional. If the
--user
and/or--group
flag are notprovided, files and directories are added in the default manner with UID and
GID of 0. (A check will be performed for the flag, if not present the
original/default manner is followed).
docker/libcontainer
has existing code for providing the permission bits for agiven user/group. This existing function will be leveraged to determine the
correct permission bits to set on the newly copied file within the container.
Implementation
--user=<uid_or_username>
and--group=<gid_or_groupname>
)in builder/dispatchers.go to be used for both
COPY
andADD
commands(
func dispatchCopy
andfunc add
)--user=<uid_or_username>
and/or
--group=<gid_or_groupname>
in bothCOPY
andADD
commandsrunContextCommand(...)
, ornil
if not presentfunc runContextCommand
to take theadditional variables
func addContext
to take and check for theuser and group variable
nil
continue in default manner (set Uid and Gid to 0)func GetExecUserPath
from libcontainer/user/user.go to returnthe
ExecUser
ExecUser
is returned, pass the Uid and Gid tocopyAsDirectory(...)
,fixFilePermissions(...)
, etc., else if continuing in the default manner,pass 0 for Uid and Gid.
Known objections
Process
comment on the description, create inline comments, this makes it easier to
discuss things.
--user
and--group
flag implementation since thisgeneral idea has been discussed and approved via PR Proposal: Specify user/ownership for COPY. #9934.
Signed-off-by: Megan Kostick mkostick@us.ibm.com