userns, buildkit: docker build creates directories with wrong permissions #40335
Description
Description
When using --userns-remap=default and DOCKER_BUILDKIT=1 docker build COPY creates non existing directory hierarchy with wrong owner.
This doesn't happen without userns remapping or without BuildKit.
Steps to reproduce the issue:
Dockerfile with COPY targeting non-existent directory. Ex:
FROM alpine
COPY Dockerfile /root/foo/
RUN touch /root/bar
RUN stat -c '%n %u/%g' /root/foo /root/foo/Dockerfile /root/bar
RUN touch /root/foo/bar
Describe the results you received:
The directory created by COPY, /root/foo, belongs to nobody as confirmed by stat. Attempt to create a file in /root/foo fails with Permission denied error.
$ DOCKER_BUILDKIT=1 docker build . --progress=plain --no-cache
#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.0s
#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 195B done
#2 DONE 0.0s
#3 [internal] load metadata for docker.io/library/alpine:latest
#3 DONE 0.0s
#4 [1/5] FROM docker.io/library/alpine
#4 CACHED
#5 [internal] load build context
#5 transferring context: 189B done
#5 DONE 0.0s
#6 [2/5] COPY Dockerfile /root/foo/
#6 DONE 0.1s
#7 [3/5] RUN touch /root/bar
#7 DONE 0.5s
#8 [4/5] RUN stat -c '%n %u/%g' /root/foo /root/foo/Dockerfile /root/bar
#8 0.633 /root/foo 65534/65534
#8 0.633 /root/foo/Dockerfile 0/0
#8 0.633 /root/bar 0/0
#8 DONE 0.7s
#9 [5/5] RUN touch /root/foo/bar
#9 0.638 touch: /root/foo/bar: Permission denied
#9 ERROR: executor failed running [/bin/sh -c touch /root/foo/bar]: runc did not terminate sucessfully
------
> [5/5] RUN touch /root/foo/bar:
------
failed to solve with frontend dockerfile.v0: failed to build LLB: executor failed running [/bin/sh -c touch /root/foo/bar]: runc did not terminate sucessfully
Describe the results you expected:
/root/foo should be owned by the mapped root user and it should be possible to create files in /root/foo.
Additional information you deem important (e.g. issue happens only occasionally):
Output of docker version:
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:29:52 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:28:22 2019
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
Output of docker info:
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 26
Server Version: 19.03.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
userns
Kernel Version: 4.18.0-18-generic
Operating System: Ubuntu 18.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.852GiB
Name: xu-1
ID: 7LCF:ROWQ:RALP:RSBF:2DCG:36K2:VBOI:OQVU:5ADJ:D7XO:KSLL:SYVH
Docker Root Dir: /var/lib/docker/231072.231072
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
Additional environment details (AWS, VirtualBox, physical, etc.):
userns_remap, BuildKit