search

moby / buildkit

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
https://github.com/moby/moby/issues/34227
Apache License 2.0
8.08k stars 1.14k forks source link

Add `gitutil.WithExec(runWithStandardUmask)` to Git invocations #5092

Closed tianon closed 3 months ago

tianon commented 3 months ago

This fixes umask bugs while building from a remote Git URL where ADD/COPY'd files end up with 666/777 permissions instead of 644/755.

Fixes https://github.com/moby/buildkit/issues/5066 Refs https://github.com/moby/buildkit/pull/4106

tianon commented 3 months ago

I have hand-verified this with the same methodology as in https://github.com/moby/buildkit/issues/5066:

docker buildx create --name foo --driver-opt image=sha256:of-image-built-from-this-change-to-force-a-local-image
$ docker buildx build --builder foo https://github.com/docker-library/mysql.git#319db566ac7fef45c22f3df15ee5e194a7c43259:8.0 --file Dockerfile.debian --load
...
#16 exporting manifest sha256:549830c9f48b8d7d7579707e8900735dbb688dc8842b264ac8d0d4119a8210bc done
#16 exporting config sha256:11f31906f3b47f2f5380059c1e3072d01491cc4050482c8f4eacd2ba519a6b75 done
...
$ docker run --rm sha256:11f31906f3b47f2f5380059c1e3072d01491cc4050482c8f4eacd2ba519a6b75 ls -l /etc/mysql/my.cnf
-rw-r--r-- 1 root root 1080 Jun 26 23:53 /etc/mysql/my.cnf
tonistiigi commented 3 months ago

https://github.com/moby/buildkit/pull/5096 looks better