Skip to content

Multi-stage COPY --from should preserve ownership/permissions #37123

New issue
New issue
Closed
#38599
Closed
Multi-stage COPY --from should preserve ownership/permissions#37123
#38599
Labels
area/builderkind/enhancementEnhancements are not bugs or new features but can improve usability or performance.
@thaJeztah

Description

@thaJeztah
thaJeztah
opened on May 22, 2018

This relates to:

Problem statement

The COPY (and ADD) Dockerfile instructions by default reset the ownership of files added to 0:0.

While this makes sense when copying files from a build-context (users/groups on the host in most situations won't match user/group in the container), in multi-stage builds this situation may be different.

In a multi-stage build, intermediate stages are meant to prepare content/artifacts for the final stage(s) they are copied to. This preparation can include: setting the correct ownership (and permissions) of files.

Because of the current behavior of COPY, those permissions are reset, and workarounds, such as tar-ing the files before COPY-ing, then extracting the tar in the final stage (which preserves permissions and ownership as set on the files before tar-ing) are not ideal.

Proposal

I propose to preserve permissions and ownership of files/directories when COPY-ing between stages in a multi-stage build

Example

Building this Dockerfile on a current version of Docker:

FROM busybox AS one
RUN mkdir -p /foo/1-subdir \
 && touch \
  /foo/4-five-six \
  /foo/7-eight-nine \
 && chown -R 123:123 /foo/1-subdir \
 && chown 456:456 /foo/4-five-six \
 && chown 789:789 /foo/7-eight-nine \
 && chmod -R 0600 /foo/1-subdir \
 && chmod 0060 /foo/4-five-six \
 && chmod 0006 /foo/7-eight-nine
RUN echo "In stage one" \
 && ls -l /foo/


FROM busybox AS final
COPY --from=one /foo /bar
RUN echo "In final stage" \
 && ls -l /bar/

Produces:

In stage one
total 4
drw-------    2 123      123           4096 May 22 12:24 1-subdir
----rw----    1 456      456              0 May 22 12:24 4-five-six
-------rw-    1 789      789              0 May 22 12:24 7-eight-nine

In final stage
total 4
drw-------    2 root     root          4096 May 22 12:24 1-subdir
----rw----    1 root     root             0 May 22 12:24 4-five-six
-------rw-    1 root     root             0 May 22 12:24 7-eight-nine

With the proposed changes, the final stage would look like:

In final stage
total 4
drw-------    2 123      123           4096 May 22 12:24 1-subdir
----rw----    1 456      456              0 May 22 12:24 4-five-six
-------rw-    1 789      789              0 May 22 12:24 7-eight-nine

Question / to be discussed

COPY --from accepts both the name/number of a build-stage, as well as an image-reference:

  • Should we preserve ownership/permissions when copying from an image as well? (COPY --from myimage:latest)
  • Should we add new options to make the --from less ambiguous, and only preserve ownership/permissions when copying from other stages (i.e., add --from-stage and --from-image options)?

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    area/builderkind/enhancementEnhancements are not bugs or new features but can improve usability or performance.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions