Closed MagdaPaj closed 3 years ago
@MagdaPaj thanks for reporting this issue, we added it to our backlog and will update the thread when more details are available.
Hi @MagdaPaj
Are we supposed to see any errors? I tried to build using iotedgedev build but couldn't seem to repro.
Here is my docker file for AMD64.
FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build-env WORKDIR /app
COPY *.csproj ./ RUN dotnet restore
COPY . ./ RUN dotnet publish -c Release -o out
FROM mcr.microsoft.com/dotnet/core/runtime:3.1-buster-slim WORKDIR /app COPY --from=build-env /app/out ./
RUN useradd -ms /bin/bash moduleuser USER moduleuser
Thank you @konichi3 for checking this.
No, there are no errors. My point is that there is a difference in permissions when you build an image using docker build vs when you build it using iotedgedev
tool. And I would like to understand why.
So steps you need to do:
\app
. So you should have it like this:
FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build-env
WORKDIR /app
COPY *.csproj ./ RUN dotnet restore
COPY . ./ RUN dotnet publish -c Release -o out
FROM mcr.microsoft.com/dotnet/core/runtime:3.1-buster-slim RUN useradd -ms /bin/bash moduleuser USER moduleuser
WORKDIR /app COPY --from=build-env /app/out ./
2. Build your image using `docker build` command.
3. Start the container and enter to it. You should see that `moduleuser` has write permissions in the `\app` folder.
![inside-container-build-by-docker-build](https://user-images.githubusercontent.com/25376553/122746332-31ef0580-d28a-11eb-9fa8-fa54321ce0f2.png)
4. Now using the same docker file build your image using `iotedgedev` tool
3. Start the container and enter to it. I'm getting this result
![inside-container-build-by-iotedgedev](https://user-images.githubusercontent.com/25376553/122746009-e0467b00-d289-11eb-9659-864f50380407.png)
Only root has write permissions in the `\app` folder and `moduleuser` does not have write permissions.
So my concern is about this difference in write permissions for the `\app` folder. Is this expected? And if so, why?
Hello @MagdaPaj. Thank you for contacting us with your question.
We depend on docker SDK internally to interact with the docker engine. Specifically, we call docker_client.api.build method.
Closing since there has been no activities on this issue for the last 8 days.
Hi @mhshami01 We've double-checked the behavior on our end and set up a repository to reproduce and illustrate the issue: Repro
Since USER moduleuser
is executed before WORKDIR /app
, we would expect that the ownership of the /app
-folder in the container is set accordingly (i.e. moduleuser
). But as can be reproduced with the linked repo, the ownership is still set to root
when building the image with iotedgedev
.
As a consequence, the sample module cannot write to its local folder.
This has lead to situations where developers pushed code changes that worked fine locally (Visual Studio Code + iotedgehubdev) but failed during smoke tests run in Azure DevOps Pipelines.
Sidenote: iotedgehubdev seems to be setting the ownership correctly.
Running native-build-works.ps1
yields:
Running iotedgedev-build-doesnt-work.ps1
yields:
@marianan @konichi3 @mhshami01
Have you had the chance to look at my repo with all the steps to reproduce the issue ?
I have a module dockerfile, where I build my dotnet console app and I specify a user
moduleuser
. Similar to this:When I build the image with
docker build
command themoduleuser
has write permissions in theapp
folder. See hereBut when I build it using
iotedgedev
tool, it doesn't have write permissions in theapp
folder.moduleuser
is not listed, and it doesn't have any write permissionsI'm running iotedgedev tool in the container from Windows (as explained here) and with the following build command:
sudo iotedgedev build --file deployment.template.json --platform amd64
.However, I noticed the same behavior in Azure Pipelines where IoT Edge Dev Tool is installed with pip, on the hosted agent with ubuntu latest.
As a workaround, I set explicitly permissions for the
moduleuser
to access the /app folder withchown -R moduleuser /app
. And it works correctly. But I would like to know if those missing permissions for the user are expected, and why the behavior is not the same as withdocker build
command.