search

opencontainers / image-tools

OCI Image Tooling
https://opencontainers.org
Apache License 2.0
266 stars 83 forks source link

unpack permissions incorrect #218

Open AdamSimpson opened 5 years ago

AdamSimpson commented 5 years ago

I have run across an issue in another project that uses image-tools, sylabs/singularity#3880, that looks to be caused by image-tools failing to unpack files with the correct permissions. The issue appears when building from a Dockerfile when a file is created in one layer and then in a subsequent layer the permissions are modified. In this case it looks like the unpacked image has the original file permissions and the updated permissions are ignored.

Dockerfile

FROM ubuntu
RUN mkdir -m 700 /foobar
RUN chmod 755 /foobar

Building the image and verifying the permissions

$ docker build -t permission:test .
$ docker run permission:test ls -ld /foobar
drwxr-xr-x 1 root root 4096 Jul  7 02:43 /foobar

Copy the image with skopeo

$ skopeo copy docker-daemon:permission:test oci:permission:test

Verify permissions are correct with umoci

$ sudo umoci unpack --image permission:test permission_umoci
$ sudo ls -ld permission_umoci/rootfs/foobar
drwxr-xr-x 2 root root 4096 Jul  6 19:43 permission_umoci/rootfs/foobar

Permissions are incorrect with image-tools

$ oci-image-tool unpack --ref name=test permission permission_oit
$ ls -ld permission_oit/foobar
drwx------ 2 asimpson asimpson 4096 Jul  6 19:43 permission_oit/foobar
cyphar commented 5 years ago

I would suggest using https://github.com/openSUSE/umoci instead -- image-tools has historically had many problems with unpacking things correctly and is the main reason I ended up writing umoci. It's used by quite a few other projects as well (within openSUSE we use it to build our container images, it's used by LXC as a method of getting OCI support, and there are tools built on-top of umoci like CISCO's stacker).

cyphar commented 5 years ago

Oh sorry, I didn't notice you already mentioned you tested against umoci. :wink: I could look into porting image-tools to umoci (the underlying libraries should be fairly reusable -- I know a few folks that are reusing it).

AdamSimpson commented 5 years ago

Thanks @cyphar, it looks like the Singularity devs are looking into integrating umoci. From what I could see this should be relatively straight forward.

cyphar commented 4 years ago

This project is no longer actively maintained. However, umoci is a much more full-featured tool for manipulating OCI images, and is now an OCI project as a reference implementation of the OCI image-spec. I would strongly suggest people move to using umoci.