imgpkg removes group permissions when storing files in OCI image, which causes permission problems with the Jammy stack #498
Comments
navdeep-pama
added
bug
|
Going to change from bug to feature, since this is the way imgpkg is supposed to behave. We decided to go with this behavior to add an extra layer of security to ensure that the user that creates files is the only one that can update them. In the examples above there is some situation where we might want to forfeit this feature and allow for the full permissions to be kept. In order to enable these scenarios we might, as suggested, create a new flag for The main side effect here that we must have into account is the fact that when imgpkg pulls the image it will have to know that the permission bits should be kept. In order for this to be done we can try to see if there is a way to make the code understand if the permissions are present or not and if imgpkg should copy the user bits or not. In case this makes the code much more complicated we can decide to go with the creation of something in the image, like a file on |
joaopapereira
added
enhancement
What happened:
Jammy-base builders require read permissions is set for group. It uses different users for build and run, so group read permissions are required to access files.
What did you expect:
The permissions should be retained so that Jammy-base images and their workloads can run.
Anything else you would like to add:
imgpkg should implement a new flag called --preserve-permissions that will disable the current behavior for imgpkg that would remove all the permissions. This will ensure we don't cause a breaking change for existing user workflows.
The text was updated successfully, but these errors were encountered: