Open D3vil0p3r opened 3 weeks ago
I further investigated, and I noted that the issue is caused still by COPY rootfs/ /
when it is parsed by build-push-action
. In practice, build-push-action
when copies all the files and directories to the root of the container, it copies them with all write permissions.
Thanks for reporting.
This looks related to BuildKit, not the GitHub action. Building your project with this Dockerfile locally gives the same behavior:
FROM athenaos/base:latest
RUN ls -al /
COPY rootfs/ /
RUN ls -al /
$ docker buildx build --no-cache --progress=plain .
...
#5 [internal] load build context
#5 transferring context: 1.77kB 0.2s done
#5 DONE 0.2s
#6 [2/4] RUN ls -al /
#6 0.380 total 52
#6 0.380 drwxr-xr-x 1 root root 4096 Jun 12 14:31 .
#6 0.380 drwxr-xr-x 1 root root 4096 Jun 12 14:31 ..
#6 0.380 lrwxrwxrwx 1 root root 7 Apr 7 18:02 bin -> usr/bin
#6 0.380 drwxr-xr-x 2 root root 4096 Apr 7 18:02 boot
#6 0.380 drwxr-xr-x 5 root root 340 Jun 12 14:31 dev
#6 0.380 drwxr-xr-x 1 root root 4096 Jun 12 14:31 etc
#6 0.380 drwxr-xr-x 2 root root 4096 Apr 7 18:02 home
#6 0.380 lrwxrwxrwx 1 root root 7 Apr 7 18:02 lib -> usr/lib
#6 0.380 lrwxrwxrwx 1 root root 7 Apr 7 18:02 lib64 -> usr/lib
#6 0.380 drwxr-xr-x 2 root root 4096 Apr 7 18:02 mnt
#6 0.380 drwxr-xr-x 2 root root 4096 Apr 7 18:02 opt
#6 0.380 dr-xr-xr-x 494 root root 0 Jun 12 14:31 proc
#6 0.380 drwxr-x--- 2 root root 4096 Apr 7 18:02 root
#6 0.380 drwxr-xr-x 2 root root 4096 Apr 7 18:02 run
#6 0.380 lrwxrwxrwx 1 root root 7 Apr 7 18:02 sbin -> usr/bin
#6 0.380 drwxr-xr-x 4 root root 4096 Jun 9 03:31 srv
#6 0.380 dr-xr-xr-x 11 root root 0 Jun 6 10:00 sys
#6 0.380 drwxrwxrwt 2 root root 4096 Apr 7 18:02 tmp
#6 0.380 drwxr-xr-x 8 root root 4096 Jun 9 03:31 usr
#6 0.380 drwxr-xr-x 12 root root 4096 Jun 9 03:31 var
#6 DONE 0.4s
#7 [3/4] COPY rootfs/ /
#7 DONE 0.1s
#8 [4/4] RUN ls -al /
#8 0.428 total 56
#8 0.428 drwxr-xr-x 1 root root 4096 Jun 12 14:31 .
#8 0.428 drwxr-xr-x 1 root root 4096 Jun 12 14:31 ..
#8 0.428 lrwxrwxrwx 1 root root 7 Apr 7 18:02 bin -> usr/bin
#8 0.428 drwxr-xr-x 2 root root 4096 Apr 7 18:02 boot
#8 0.428 drwxr-xr-x 5 root root 340 Jun 12 14:31 dev
#8 0.428 drwxrwxrwx 1 root root 4096 Jun 12 14:31 etc
#8 0.428 drwxr-xr-x 2 root root 4096 Apr 7 18:02 home
#8 0.428 lrwxrwxrwx 1 root root 7 Apr 7 18:02 lib -> usr/lib
#8 0.428 lrwxrwxrwx 1 root root 7 Apr 7 18:02 lib64 -> usr/lib
#8 0.428 drwxr-xr-x 2 root root 4096 Apr 7 18:02 mnt
#8 0.428 drwxr-xr-x 2 root root 4096 Apr 7 18:02 opt
#8 0.428 dr-xr-xr-x 496 root root 0 Jun 12 14:31 proc
#8 0.428 drwxr-x--- 2 root root 4096 Apr 7 18:02 root
#8 0.428 drwxr-xr-x 2 root root 4096 Apr 7 18:02 run
#8 0.428 lrwxrwxrwx 1 root root 7 Apr 7 18:02 sbin -> usr/bin
#8 0.428 drwxr-xr-x 4 root root 4096 Jun 9 03:31 srv
#8 0.428 dr-xr-xr-x 11 root root 0 Jun 6 10:00 sys
#8 0.428 drwxrwxrwt 2 root root 4096 Apr 7 18:02 tmp
#8 0.428 drwxrwxrwx 1 root root 4096 Jun 12 14:27 usr
#8 0.428 drwxr-xr-x 12 root root 4096 Jun 9 03:31 var
#8 DONE 0.5s
...
Related issue is here: https://github.com/moby/buildkit/issues/3602
@crazy-max thanks for the answer. The strange fact is that the mentioned open issue was opened 1 year ago, but I experienced this issue only in the last month... And if I manually build the image, it works correctly. If I use the mentioned GH actions no...
Indeed the latest pushed image in docker hub of Athena OS was built locally and you can see that the permissions are set correctly.
@D3vil0p3r This seems link to a regression since BuildKit 0.13: https://github.com/moby/buildkit/issues/5066
Can you try with:
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: image=moby/buildkit:v0.12.5
Hey @crazy-max by using your workaround, the permissions are set now correctly. Thank you.
I guess that buildkit must fix the issue.
Contributing guidelines
I've found a bug, and:
Description
I have a docker container as an Arch-based Linux distro. Usually I create the container and I push it by the build-push-action but when I create and push the container by this action, when I pull the image and run the container, the filesystem root has the following permissions:
Look at
etc
andusr
permissions. It creates several issues (like the/etc/sudoers.d
being not working if it is world writable`).When I build the same container locally and I push it by:
and then I run it by
docker run
, the permissions are set correctly.So I have the described issue only when I use docker action. The GitHub workflow I use for it is:
Instructions to run the container are on README of the https://github.com/Athena-OS/athena-rdp-docker repository.
Expected behaviour
/etc
and/usr
directories and some their subdir should have the right permissions, for example:Actual behaviour
The filesystem root has the following permissions:
Repository URL
https://github.com/Athena-OS/athena-rdp-docker
Workflow run URL
https://github.com/Athena-OS/athena-rdp-docker/blob/main/.github/workflows/docker-publish.yml
YAML workflow
Workflow logs
No response
BuildKit logs
No response
Additional info
No response