Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Defining a user in multi-stage builds #1195

Closed
jw3 opened this issue Jan 24, 2019 · 5 comments
Closed

Defining a user in multi-stage builds #1195

jw3 opened this issue Jan 24, 2019 · 5 comments
Assignees
@eed3si9n
Labels
docker feature request

Comments

@jw3
Copy link

jw3 commented Jan 24, 2019

Using v1.3.16 and the multi-stage feature from #1190

The first stage of the multi-stage build may not have adequate rights to perform the chmod if the base image was already using an unprivileged user.

You should be able to reproduce this using something like

  dockerBaseImage := "fabric8/java-centos-openjdk8-jdk",
  dockerPermissionStrategy := DockerPermissionStrategy.MultiStage,
  dockerChmodType := DockerChmodType.UserGroupWriteExecute

Which produces a first stage of

FROM fabric8/java-centos-openjdk8-jdk as stage0
WORKDIR /opt/docker
RUN id -u daemon || useradd --system --create-home --uid 1001 --gid 0 daemon
COPY opt /opt
RUN ["chmod", "-R", "u=rwX,g=rwX", "/opt/docker"]

User of the fabric8 image is already non-root

$ docker run --rm fabric8/java-centos-openjdk8-jdk whoami
jboss

Could specify a user via configuration, or perhaps the first stage can safely be switched to USER root?
@jw3
Copy link
Author

jw3 commented Jan 24, 2019

The errors produces are a list of chmod failures

chmod: changing permissions of '/opt/docker': Operation not permitted
chmod: changing permissions of '/opt/docker/bin': Operation not permitted
...

@muuki88
Copy link
Contributor

muuki88 commented Jan 25, 2019

Thanks for the detailed report 👍

I guess running the stage0 with USER root is a viable option as this doesn't affect the application image. Would you like to open a PR for this?

@eed3si9n any objections?

@eed3si9n
Copy link
Member

That makes sense.

@eed3si9n eed3si9n self-assigned this Jan 25, 2019
eed3si9n added a commit to eed3si9n/sbt-native-packager that referenced this issue Jan 25, 2019
@eed3si9n
Run stage0 as root during Docker build
991d0df 
Fixes sbt#1195

Since the user of the fabric8 image is already non-root, stage0 fails with

```
chmod: changing permissions of '/opt/docker': Operation not permitted
```

This switches the stage0 user to root explicitly so we can run `chmod` in there. In the actual image the user is set back to 1001.
@eed3si9n eed3si9n mentioned this issue Jan 25, 2019
Merged
@eed3si9n
Copy link
Member

Pull request here - #1197

muuki88 pushed a commit that referenced this issue Jan 28, 2019
@eed3si9n @muuki88
Run stage0 as root during Docker build (#1197)
f55558f 
Fixes #1195

Since the user of the fabric8 image is already non-root, stage0 fails with

```
chmod: changing permissions of '/opt/docker': Operation not permitted
```

This switches the stage0 user to root explicitly so we can run `chmod` in there. In the actual image the user is set back to 1001.
@muuki88
Copy link
Contributor

muuki88 commented Jan 28, 2019
edited
Loading

v1.3.17 is on its way

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eed3si9n eed3si9n

Labels
docker feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eed3si9n @muuki88 @jw3