New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Specify user/ownership for COPY. #9934
Conversation
This is a docs-first proposal based on a discussion on #docker-maintainers ([transcript](https://botbot.me/freenode/docker-maintainers/2015-01-02/?msg=28645971&page=1) up to [here](https://botbot.me/freenode/docker-maintainers/2015-01-02/?msg=28657537&page=4)). And as discussed here; moby#9046 (comment) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
/cc @tiborvass @shykes |
-1. This UX seems ... weird given the current UX of using single instructions to set metadata for other instructions ( |
@cyphar thanks. To clarify, I'm personally -1 on the syntax, especially if Something has to be done though, to fix the current situation, so suggesting alternatives that cover the mentioned goals is welcome. |
The only way that I can see it done is to depreciate the other instructions which will be replaced by this functionality. I still don't like the syntax all that much, but at least you won't have two conflicting UXes. |
I would really prefer if we didn't introduce something that overlaps with the traditional setting of env vars, this will just lead to confusion for people. Its not clear to me why we don't just add support for options to our commands. For example: COPY --user=foo src dest The only issue I can see with this is that there might be an ambiguity between an option and the first parameter, but I think that can only happen on ADD and COPY so the risk is pretty small. And if that really is the only concern then I'm sure we can think of a way to address it - but first we need to decide on the overall direction. |
@duglin But they are sort-of like |
@cyphar but they're not env vars, that's the point. I agree they might look like them but in the end they're not because they don't show up as env vars to the command (e.g. the cmd that RUN executes will not see them) and if they're not then we shouldn't confuse people by using the env var setting syntax. I'm not sure I understand your 2nd point. Supporting options like normal commands do (via -x/--foo) is totally future proof. I would turn your question around... what if we wanted to support the setting of "real" env vars on the RUN command, just for that one time? I would assert that Edit: granted we could support: |
@duglin Sorry, I misread your example. I am okay with |
FYI, some alternatives were also suggested in the #docker-maintainers discussion see here. Perhaps I should add them to the description of this PR as well; A: new instruction every time ( (slightly re-worded for better formatting) |
Thanks for following through on this. /cc @shykes On Thu, 2015-01-08 at 08:14 -0800, Sebastiaan van Stijn wrote:
|
@thaJeztah, I'd like to suggest another alternative:
This could later be extended to work on
(The latter would help discourage frequent USER commands needed to flip back and forth between RUN's and promote the USER command as it was intended: a final instruction to specify the user that the container should run as.) |
+1 @david-mccullars. That provides a better combination of readability and consistency with the builder API than any of the previous suggestions. |
@ryneeverett @david-mccullars What if someone wants to use the word "AS" as part of the command line? |
For consistency with existing Docker syntax (CMD, ENTRYPOINT, possibly others), I propose extending COPY to accept an array argument similar to RUN:
|
I share @cyphar concern here; there's already a lot of code to handle ambiguous COPY instructions. If possible, we should try to avoid new problems. Also (although it isn't the primary goal here), I wonder how that notation would extend for other configuration-settings (perhaps |
@cyphar Good point. Syntax additions after However, the critique isn't relevant to |
@ryneeverett unfortunately, it does apply; |
@thaJeztah Ah, this is my first time seeing that in the docs. Option (B) |
Yes. Looking back at the IRC logs, it also was rejected for that reason: IRC log |
I still don't understand why we're looking for non-standard ways to pass options. What's wrong with: |
And, using -x allows us to easy support more options in the future. We've heard of people wanting to control whether archives are expanded vs just copied, as an example. Processing options based on order or special keywords will make that really messy. Let's not reinvent things. |
sgtm. Thanks everyone for taking part in this discussion and adding suggestions. You can subscribe to #10775 to check progress on the implementation. |
Do we really want to close this? #10775 just adds the infrastructure to allow CMD --options, it doesn't actually implement any - like a --user for COPY. |
@thaJeztah was this issue just to drive the options stuff or did someone actually want to set the owner during a COPY? |
@duglin hm you're right; closing this is probably a bit premature. This issue was created because #9046 was closed without an alternative and the "replacement" (options for instructions), wasn't really finalized. Yes, setting This should probably explain where we stand right now;
I'm okay with closing this PR if we create a new "tracker" issue with the checkboxes above, wdyt? |
Discussions seem closed here. Why about using a simple CHOWN/CHMOD instruction which will allow the builder to handle permissions on many architectures without side effect? |
@gfyrag because each instruction in a Dockerfile is executed in a new container, and thus a new layer in the layered filesystem. Adding
|
I was thinking about a more low-level approach. If i make an image for a different architecture than my laptop (arm for example), i can't do "RUN chmod xxx", i have a format error. But if the builder set permissions, i have no pb, the builder know the format of the files and can set proper permissions. In fact, i think about this for any architecture, i write CHOWN/CHMOD but it can be SETOWNER/SETRIGHTS, working both on each linux architecture, or even on windows image (don't know how it will works). |
See #6119 (comment) - a proposal is in the works. |
CHOWN/CHMOD (or whatever) will still leave the bloat issue. (pity, I like the idea, mainly because that's the only reason I want --user/--perm options on my COPY/ADD) |
As far as I can tell, simply adding Most importantly for me, it enables a pattern where the last
The derived images should be agnostic to the username. This is not as flexible as some |
Dockerfile options (e.g. |
+1 Need to respect USER ownership in COPY and avoid the use of chown which bloats the entire image. |
This is super confusing.
|
See: #13600 |
@wbednarski yes, actually you have to do it like this
|
This feature has now been implemented through an optional The feature is included in Docker 17.09 and up, and allows you to do; ADD --chown=someuser:somegroup /foo /bar
COPY --chown=someuser:somegroup /foo /bar Or other combinations of user/group name (or ID);
There are two additional feature requests in this area;
Given that the original problem was addressed, I'm locking the discussion on this issue to prevent it from collecting other (possibly unrelated) comments. If you arrive on this issue because this feature is not working as expected, or you think other enhancements can be made; please open a new issue instead so that it can be tracked separately (feel free to add a link to this issue if you think it's relevant). |
Proposal: Specify user/ownership for COPY
This is a docs-first proposal based on a discussion on #docker-maintainers (transcript up to here).
Background
The Dockerfile
COPY
instruction currently doesn't respect the user that is set usingUSER
instruction; files and directories copied to the container are always added with UID and GID 0. Workarounds, for example, doingRUN chown ...
don't work in all situations (for example when usingaufs
).A previous PR, #9046, solved this problem by making
COPY
respect the user set viaUSER
. Unfortunately, this would be a backwards incompatible change and was closed because of this.The issue leading to that PR can be found here #7537.
Primary goals
COPY
instruction.Proposed change
Add a "configuration" option to the
COPY
instruction;All files and directories copied to the container will be owned by the specified
<uid_or_username>
. After completing theCOPY
, the user that was active before the instruction will be used for subsequent instructions.The configuration is optional. If no configuration is provided, files and directories are added with UID and GID of 0.
Future plans
Although not explicitly mentioned in the discussion, "configuration" parameters can also be applied to other instructions in the future, for example, to set the user for a
RUN
instruction. Other "configuration" settings can be added as well.This proposal is primarily for specifying the "user" for the
COPY
instruction. Still, future plans could be taken into consideration when commenting.Known objections
A number of concerns were raised in response to the discussion on #docker-maintainers. I list them here, so that they don't have to be repeated in this discussion.
USER
instruction is still available and may confuse users (when to useUSER
, when to useuser=<uid_or_username>
?).Dockerfile
harder to read; instructions no longer at the start of each line.Process
To keep the discussion focused;