misterikkit commented 2 years ago

Actual behavior Running kaniko in my local docker daemon, files copied with COPY still have my UID in the built container. This breaks reproducibility when different users build the same image because the file's UID is included in the layer hash.

Expected behavior Files copied with COPY and no --chown arg should be defaulted to UID 0 as per the Dockerfile documentation

All new files and directories are created with a UID and GID of 0, unless the optional --chown flag specifies...

To Reproduce

#!/bin/sh

echo "Running as $USER (uid=$(id -u))"

cd $(mktemp -d)

cat >run.sh <<'EOF'
#!/bin/sh
stat $0
EOF

chmod 0755 run.sh

cat >Dockerfile <<EOF
FROM alpine:latest

COPY run.sh /app/

ENTRYPOINT ["/app/run.sh"]
EOF

echo "Building with docker"
docker build -t uid-demo:docker .

echo "Building with kaniko"
docker run --rm -v $(pwd):/workspace gcr.io/kaniko-project/executor:v1.7.0 \
    --destination uid-demo:kaniko \
    --no-push \
    --tarPath image.tar

docker load < image.tar

echo "Running docker version"
docker run --rm -it uid-demo:docker
echo "Running kaniko version"
docker run --rm -it uid-demo:kaniko

Additional Information

Dockerfile see above
Build Context see above
Kaniko Image (fully qualified with digest) gcr.io/kaniko-project/executor:v1.7.0 "Id": "sha256:4f9b8daa25ddc38e7f91eba9a7b989a555c623450c6f39b91bb51c66f1ec994b",

Workaround Explicitly add --chown to every COPY/ADD in each Dockerfile.

Triage Notes for the Maintainers

Description	Yes/No
Please check if this a new feature you are proposing	- [ ]
Please check if the build works in docker but not in kaniko	- [x]
Please check if this error is seen when you use `--cache` flag	- [ ]
Please check if your dockerfile is a multistage dockerfile	- [ ]

F30 commented 2 years ago

2136 is somewhat related to this.

Note that the Dockerfile reference clearly states:

All new files and directories are created with a UID and GID of 0, unless the optional --chown flag specifies a given username, groupname, or UID/GID combination to request specific ownership of the content added.

nemani commented 5 months ago

Just ran into this problem myself. Issue has been open for 2+ years. :(

KerchumA222 commented 3 weeks ago

In case anyone else ends up here looking for a more immediate solution: You can use the --chown flag to emulate the correct result: COPY --chown=0:0 file file But I think you will need to run Kaniko with superuser permissions to make this work this way.

GoogleContainerTools / kaniko

COPY does not default UID to 0 #1921

2136 is somewhat related to this.