search

docker / for-mac

Bug reports for Docker Desktop for Mac
https://www.docker.com/products/docker#/mac
2.44k stars 118 forks source link

Upgrade to Version 4.34.0 with VirtioFS breaks file permissions again #7406

Open joville opened 2 months ago

joville commented 2 months ago

Description

We had the issue that a team member was not able to run composer install in a docker container without any git dubious ownership errors in some composer packages.

I was trying to reproduce the issue and could not find any issue at first until I saw that there is a docker.app upgrade from version 4.33.0 to 4.34.0. Finally I could reproduce the issue. I was downgrading docker to 4.33.0 again for reproducing the previous state. It was running fine, but not with 4.34.0. After checking the issues I found the issues about permission issues with virtioFS. I tried the upgrade again with version 4.34.0 and switched the file sharing settings from VirtioFS to gRPC FUSE and it was working as expected.

Reproduce

  1. Upgrade Docker.app to 4.34.0 and restart app (file sharing is set to VirtioFS in docker)
  2. In a docker stack with a composer.json with some git based packages delete the vendor directory.
  3. Run docker compose exec containername bash to get into the container console
  4. Run composer install
  5. You will get some of the following errors while installing a some composer packages: Install of any/package failed The cloning process into a directory will fail with this error summary: fatal: detected dubious ownership in repository at 'install target directory'

Expected behavior

Install process with composer install run without any (permission) errors.

docker version

Client:
 Version:           27.2.0
 API version:       1.47
 Go version:        go1.21.13
 Git commit:        3ab4256
 Built:             Tue Aug 27 14:14:45 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.34.0 (165256)
 Engine:
  Version:          27.2.0
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.21.13
  Git commit:       3ab5c7d
  Built:            Tue Aug 27 14:15:41 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.20
  GitCommit:        8fc6bcff51318944179630522a095cc9dbf9f353
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    27.2.0
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.16.2-desktop.1
    Path:     /Users/username/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.2-desktop.2
    Path:     /Users/username/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.34
    Path:     /Users/username/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Alpha) (Docker Inc.)
    Version:  v0.0.15
    Path:     /Users/username/.docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/username/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.25
    Path:     /Users/username/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /Users/username/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.3.0
    Path:     /Users/username/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/username/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.13.0
    Path:     /Users/username/.docker/cli-plugins/docker-scout

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 81
 Server Version: 27.2.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.10.4-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 10
 Total Memory: 9.706GiB
 Name: docker-desktop
 ID: 4e2c7e85-7a13-40e7-9f3b-7b6497b95c22
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/username/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

Diagnostics ID

CDFACD1D-F7C3-4893-A89D-9066ADF69301

Additional Info

No response

thaJeztah commented 2 months ago

Hm.. wondering if this is related to CVE-2024-32004 - the fix for that introduced an error message about "dubious ownership"; https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8

thegass commented 2 months ago

Looks like VirtioFS was broken on purpose to sell the new subscription only filesharing. downgrading to 4.33 fixed misc. filesharing related issues.

florianPat commented 1 month ago

Still an issue on 4.34.3. Steps I executed to reproduce this issue: The issue is that git directories created are owned by root and not by "you". Commands run in php:8.3.12-fpm-alpine3.20@sha256:14c0faa46fc5c34c662950b607562f67de5c34a5df4d431274fc13ad76744060

/app $ id -u
503
/app $ id -g
20
/app $ cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
...
nobody:x:65534:65534:nobody:/:/sbin/nologin
www-data:x:82:82:Linux User,,,:/home/www-data:/sbin/nologin
app:x:503:20:Linux User,,,:/home/app:/sbin/nologin
/app $ cat /etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
...
ping:x:999:
nogroup:x:65533:
nobody:x:65534:
app:x:20:app

Without VirtioFS, no permission issues:

Image

# Clone From local directory
/app $ git clone --no-checkout '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/' '/app/vendor/test/bundle' --dissociate
 --reference '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/'
Cloning into '/app/vendor/test/bundle'...
done.
Enumerating objects: 324, done.
Counting objects: 100% (324/324), done.
Delta compression using up to 8 threads
Compressing objects: 100% (142/142), done.
Writing objects: 100% (324/324), done.
Total 324 (delta 134), reused 324 (delta 134), pack-reused 0 (from 0)

# Permissions of local path thats cloned
/app $ ls -la ~/.composer/cache/vcs/https---bitbucket.org-bundle.git/
total 44
drwxr-sr-x    7 app      dialout       4096 Oct 11 10:27 .
drwxr-sr-x    7 app      dialout       4096 Oct 11 10:27 ..
-rw-r--r--    1 app      dialout         21 Oct 11 10:27 HEAD
drwxr-sr-x    2 app      dialout       4096 Oct 11 10:27 branches
-rw-r--r--    1 app      dialout        333 Oct 11 10:27 config
-rw-r--r--    1 app      dialout         73 Oct 11 10:27 description
drwxr-sr-x    2 app      dialout       4096 Oct 11 10:27 hooks
drwxr-sr-x    2 app      dialout       4096 Oct 11 10:27 info
drwxr-sr-x    4 app      dialout       4096 Oct 11 10:27 objects
-rw-r--r--    1 app      dialout        951 Oct 11 10:27 packed-refs
drwxr-sr-x    4 app      dialout       4096 Oct 11 10:27 refs

# Check that permissions are app:dialout
/app $ ls -la vendor/
total 0
drwxr-xr-x    3 app      dialout         96 Oct 11 10:27 .
drwxr-xr-x   33 app      dialout       1056 Oct 11 10:27 ..
drwxr-xr-x    3 app      dialout         96 Oct 11 10:27 test
/app $ ls -la vendor/test/
total 0
drwxr-xr-x    3 app      dialout         96 Oct 11 10:27 .
drwxr-xr-x    3 app      dialout         96 Oct 11 10:27 ..
drwxr-xr-x    3 app      dialout         96 Oct 11 10:27 bundle
/app $ ls -la vendor/test/bundle/
total 0
drwxr-xr-x    3 app      dialout         96 Oct 11 10:27 .
drwxr-xr-x    3 app      dialout         96 Oct 11 10:27 ..
drwxr-xr-x   12 app      dialout        384 Oct 11 10:27 .git
/app $ ls -la vendor/test/bundle/.git/
total 16
drwxr-xr-x   12 app      dialout        384 Oct 11 10:27 .
drwxr-xr-x    3 app      dialout         96 Oct 11 10:27 ..
-rw-r--r--    1 app      dialout         21 Oct 11 10:27 HEAD
drwxr-xr-x    2 app      dialout         64 Oct 11 10:27 branches
-rw-r--r--    1 app      dialout        303 Oct 11 10:27 config
-rw-r--r--    1 app      dialout         73 Oct 11 10:27 description
drwxr-xr-x   15 app      dialout        480 Oct 11 10:27 hooks
drwxr-xr-x    4 app      dialout        128 Oct 11 10:27 info
drwxr-xr-x    4 app      dialout        128 Oct 11 10:27 logs
drwxr-xr-x    4 app      dialout        128 Oct 11 10:27 objects
-rw-r--r--    1 app      dialout        969 Oct 11 10:27 packed-refs
drwxr-xr-x    5 app      dialout        160 Oct 11 10:27 refs

# Check that creating a directory has the expected permissions
/app $ rm -rf vendor/
/app $ mkdir -p vendor/test
/app $ ls -la vendor/
total 0
drwxr-xr-x    3 app      dialout         96 Oct 11 10:28 .
drwxr-xr-x   33 app      dialout       1056 Oct 11 10:28 ..
drwxr-xr-x    2 app      dialout         64 Oct 11 10:28 test

With VirtioFS, permission issues, but only (as expected) in bind mounts:

Image

# Clone From local directory
/app $ git clone --no-checkout '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/' '/app/vendor/test/bundle' --dissociate
 --reference '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/'
Cloning into '/app/vendor/test/bundle'...
done.
Enumerating objects: 324, done.
Counting objects: 100% (324/324), done.
Delta compression using up to 8 threads
Compressing objects: 100% (141/141), done.
Writing objects: 100% (324/324), done.
Total 324 (delta 135), reused 324 (delta 135), pack-reused 0 (from 0)

# Permissions of local path thats cloned
/app $ ls -la ~/.composer/cache/vcs/https---bitbucket.org-bundle.git/
total 44
drwxr-sr-x    7 app      dialout       4096 Oct 11 10:30 .
drwxr-sr-x    7 app      dialout       4096 Oct 11 10:30 ..
-rw-r--r--    1 app      dialout         21 Oct 11 10:30 HEAD
drwxr-sr-x    2 app      dialout       4096 Oct 11 10:30 branches
-rw-r--r--    1 app      dialout        331 Oct 11 10:30 config
-rw-r--r--    1 app      dialout         73 Oct 11 10:30 description
drwxr-sr-x    2 app      dialout       4096 Oct 11 10:30 hooks
drwxr-sr-x    2 app      dialout       4096 Oct 11 10:30 info
drwxr-sr-x    4 app      dialout       4096 Oct 11 10:30 objects
-rw-r--r--    1 app      dialout        951 Oct 11 10:30 packed-refs
drwxr-sr-x    4 app      dialout       4096 Oct 11 10:30 refs

# Check that permissions are app:dialout, but are root!
/app $ ls -la vendor/
total 0
drwxr-xr-x    3 app      dialout         96 Oct 11 10:30 .
drwxr-xr-x   33 app      dialout       1056 Oct 11 10:30 ..
drwxr-xr-x    3 root     root            96 Oct 11 10:30 test
/app $ ls -la vendor/test/
total 0
drwxr-xr-x    3 root     root            96 Oct 11 10:30 .
drwxr-xr-x    3 app      dialout         96 Oct 11 10:30 ..
drwxr-xr-x    3 root     root            96 Oct 11 10:30 bundle
/app $ ls -la vendor/test/bundle/
total 0
drwxr-xr-x    3 root     root            96 Oct 11 10:30 .
drwxr-xr-x    3 root     root            96 Oct 11 10:30 ..
drwxr-xr-x   12 root     root           384 Oct 11 10:30 .git
/app $ ls -la vendor/test/bundle/.git/
total 16
drwxr-xr-x   12 root     root           384 Oct 11 10:30 .
drwxr-xr-x    3 root     root            96 Oct 11 10:30 ..
-rw-r--r--    1 app      dialout         21 Oct 11 10:30 HEAD
drwxr-xr-x    2 app      dialout         64 Oct 11 10:30 branches
-rw-r--r--    1 app      dialout        303 Oct 11 10:30 config
-rw-r--r--    1 app      dialout         73 Oct 11 10:30 description
drwxr-xr-x   15 app      dialout        480 Oct 11 10:30 hooks
drwxr-xr-x    4 app      dialout        128 Oct 11 10:30 info
drwxr-xr-x    4 root     root           128 Oct 11 10:30 logs
drwxr-xr-x    4 app      dialout        128 Oct 11 10:30 objects
-rw-r--r--    1 app      dialout        969 Oct 11 10:30 packed-refs
drwxr-xr-x    5 app      dialout        160 Oct 11 10:30 refs

# Clone From local directory into NON bind mounted path
/app $ git clone --no-checkout '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/' '/tmp/app/vendor/test/bundle' --dissociate --reference '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/'
Cloning into '/tmp/app/vendor/test/bundle'...
done.
Enumerating objects: 324, done.
Counting objects: 100% (324/324), done.
Delta compression using up to 8 threads
Compressing objects: 100% (141/141), done.
Writing objects: 100% (324/324), done.
Total 324 (delta 135), reused 324 (delta 135), pack-reused 0 (from 0)

# Check that permissions are app:dialout, which they are
/app $ ls -la /tmp/app/
total 16
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 .
drwxrwxrwt    1 app      dialout       4096 Oct 11 10:31 ..
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 vendor
/app $ ls -la /tmp/app/vendor/
total 12
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 .
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 ..
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 test
/app $ ls -la /tmp/app/vendor/test/
total 12
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 .
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 ..
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 bundle
/app $ ls -la /tmp/app/vendor/test/bundle/
total 12
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 .
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 ..
drwxr-xr-x    8 app      dialout       4096 Oct 11 10:31 .git
/app $ ls -la /tmp/app/vendor/test/bundle/.git/
total 48
drwxr-xr-x    8 app      dialout       4096 Oct 11 10:31 .
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 ..
-rw-r--r--    1 app      dialout         21 Oct 11 10:31 HEAD
drwxr-xr-x    2 app      dialout       4096 Oct 11 10:31 branches
-rw-r--r--    1 app      dialout        284 Oct 11 10:31 config
-rw-r--r--    1 app      dialout         73 Oct 11 10:31 description
drwxr-xr-x    2 app      dialout       4096 Oct 11 10:31 hooks
drwxr-xr-x    2 app      dialout       4096 Oct 11 10:31 info
drwxr-xr-x    3 app      dialout       4096 Oct 11 10:31 logs
drwxr-xr-x    4 app      dialout       4096 Oct 11 10:31 objects
-rw-r--r--    1 app      dialout        969 Oct 11 10:31 packed-refs
drwxr-xr-x    5 app      dialout       4096 Oct 11 10:31 refs

# Check that creating a directory has the expected permissions
/app $ rm -rf vendor/
/app $ mkdir -p vendor/test
/app $ ls -la vendor/
total 0
drwxr-xr-x    3 app      dialout         96 Oct 11 10:40 .
drwxr-xr-x   33 app      dialout       1056 Oct 11 10:40 ..
drwxr-xr-x    2 app      dialout         64 Oct 11 10:40 test
/app $ ls -la vendor/test/
total 0
drwxr-xr-x    2 app      dialout         64 Oct 11 10:40 .
drwxr-xr-x    3 app      dialout         96 Oct 11 10:40 ..
florianPat commented 1 month ago

Also tested with 4.33.0 now, and works as expected with VirtioFS enabled. Will stick to this version till its resolved in 4.34 Image

# Clone From local directory
/app $ git clone --no-checkout '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/' '/app/vendor/test/bundle' --dissociate
 --reference '/home/app/.composer/cache/vcs/https---bitbucket.org-bundle.git/'
Cloning into '/app/vendor/test/bundle'...
done.
Enumerating objects: 324, done.
Counting objects: 100% (324/324), done.
Delta compression using up to 8 threads
Compressing objects: 100% (141/141), done.
Writing objects: 100% (324/324), done.
Total 324 (delta 135), reused 324 (delta 135), pack-reused 0 (from 0)

# Permissions of local path thats cloned
/app $ ls -la ~/.composer/cache/vcs/https---bitbucket.org-bundle.git/
total 44
drwxr-sr-x    7 app      dialout       4096 Oct 11 11:14 .
drwxr-sr-x    7 app      dialout       4096 Oct 11 11:15 ..
-rw-r--r--    1 app      dialout         21 Oct 11 11:14 HEAD
drwxr-sr-x    2 app      dialout       4096 Oct 11 11:14 branches
-rw-r--r--    1 app      dialout        333 Oct 11 11:14 config
-rw-r--r--    1 app      dialout         73 Oct 11 11:14 description
drwxr-sr-x    2 app      dialout       4096 Oct 11 11:14 hooks
drwxr-sr-x    2 app      dialout       4096 Oct 11 11:14 info
drwxr-sr-x    4 app      dialout       4096 Oct 11 11:14 objects
-rw-r--r--    1 app      dialout        951 Oct 11 11:14 packed-refs
drwxr-sr-x    4 app      dialout       4096 Oct 11 11:14 refs

# Check that permissions are app:dialout
/app $ ls -la vendor/
total 0
drwxr-xr-x    3 app      dialout         96 Oct 11 11:15 .
drwxr-xr-x   33 app      dialout       1056 Oct 11 11:15 ..
drwxr-xr-x    3 app      dialout         96 Oct 11 11:15 test
/app $ ls -la vendor/test/
total 0
drwxr-xr-x    3 app      dialout         96 Oct 11 11:15 .
drwxr-xr-x    3 app      dialout         96 Oct 11 11:15 ..
drwxr-xr-x    3 app      dialout         96 Oct 11 11:15 bundle
/app $ ls -la vendor/test/bundle/
total 0
drwxr-xr-x    3 app      dialout         96 Oct 11 11:15 .
drwxr-xr-x    3 app      dialout         96 Oct 11 11:15 ..
drwxr-xr-x   12 app      dialout        384 Oct 11 11:15 .git
/app $ ls -la vendor/test/bundle/.git/
total 16
drwxr-xr-x   12 app      dialout        384 Oct 11 11:15 .
drwxr-xr-x    3 app      dialout         96 Oct 11 11:15 ..
-rw-r--r--    1 app      dialout         21 Oct 11 11:15 HEAD
drwxr-xr-x    2 app      dialout         64 Oct 11 11:15 branches
-rw-r--r--    1 app      dialout        303 Oct 11 11:15 config
-rw-r--r--    1 app      dialout         73 Oct 11 11:15 description
drwxr-xr-x   15 app      dialout        480 Oct 11 11:15 hooks
drwxr-xr-x    4 app      dialout        128 Oct 11 11:15 info
drwxr-xr-x    4 app      dialout        128 Oct 11 11:15 logs
drwxr-xr-x    4 app      dialout        128 Oct 11 11:15 objects
-rw-r--r--    1 app      dialout        969 Oct 11 11:15 packed-refs
drwxr-xr-x    5 app      dialout        160 Oct 11 11:15 refs
thegass commented 1 month ago

no high hopes that this will get fixed.

craether-nbb commented 3 weeks ago

The issue seems to be solved with DockerDesktop 4.35.0 released yesterday. https://docs.docker.com/desktop/release-notes/#4350

djs55 commented 1 week ago

Hi, If you're still encountering this issue could you try again with the latest 4.35.1? Also it's worth looking in settings and trying it with both virtualisation.framework and Docker VMM (Settings -> General -> Virtual Machine Options) since they have subtle file ownership differences.

Let me know what happens!