Fix COPY --from=stage when running with user-namespaces by thaJeztah · Pull Request #1448 · moby/buildkit

thaJeztah · 2020-04-17T11:33:45Z

Issue was reported in moby/moby#34645 (comment), and relates to moby/moby#38599, which addressed this issue for the classic builder.

When copying files between stages, file ownership should be preserved;

FROM busybox:latest as build
RUN touch x && chown 1:1 x

FROM busybox:latest
RUN touch y && chown 1:1 y
COPY --from=build x ./

However, when running with user namespaces enabled:

# grep dockremap /etc/sub*id
/etc/subgid:dockremap:500000:65536
/etc/subuid:dockremap:500000:65536

A build would fail, because BuildKit is trying to map the container's UID/GID to the host:

ERROR: failed to copy file info: failed to chown /var/lib/docker/500000.500000/overlay2/mu5zpgelkig84eo9rlbqdhnn9/merged/x: Container ID 500001 cannot be mapped to a host ID

When looking at the code, I found that (fb *Backend) Copy() takes a action
argument (pb.FileActionCopy), one of its options is wether or not the owner
should be overridden:

buildkit/solver/pb/ops.pb.go

Lines 1457 to 1458 in 226a5db

    
           // optional owner override 
        
           Owner *ChownOpt `protobuf:"bytes,3,opt,name=owner,proto3" json:"owner,omitempty"`

That argument is passed on to docopy() (which is called from (fb *Backend) Copy()), however inside docopy(), user-mapping is performed, irregardless if Owner was set or not:

buildkit/solver/llbsolver/file/backend.go

Lines 182 to 189 in 226a5db

    
           ch, err := mapUserToChowner(u, idmap) 
        
           if err != nil { 
        
           	return err 
        
           } 
        
           opt := []copy.Opt{ 
        
           	func(ci *copy.CopyInfo) { 
        
           		ci.Chown = ch

This patch makes that step optional, and only performs mapUserToChowner if action.Owner is specified, hopefully addressing the issue.

Issue was reported in moby/moby issue 34645, and relates to moby/moby PR 38599, which addressed this issue for the classic builder. When copying files between stages, file ownership should be preserved; FROM busybox:latest as build RUN touch x && chown 1:1 x FROM busybox:latest RUN touch y && chown 1:1 y COPY --from=build x ./ However, when running with user namespaces enabled: # grep dockremap /etc/sub*id /etc/subgid:dockremap:500000:65536 /etc/subuid:dockremap:500000:65536 A build would fail, because BuildKit is trying to map the container's UID/GID to the host: ERROR: failed to copy file info: failed to chown /var/lib/docker/500000.500000/overlay2/mu5zpgelkig84eo9rlbqdhnn9/merged/x: Container ID 500001 cannot be mapped to a host ID When looking at the code, I found that `(fb *Backend) Copy()` takes a `action` argument (`pb.FileActionCopy`), one of its options is wether or not the owner should be overridden: // optional owner override Owner *ChownOpt `protobuf:"bytes,3,opt,name=owner,proto3" json:"owner,omitempty"`) That argument is passed on to `docopy()` (which is called from `(fb *Backend) Copy()`), however inside `docopy()`, user-mapping is performed, irregardless if `Owner` was set or not: ch, err := mapUserToChowner(u, idmap) if err != nil { return err } opt := []copy.Opt{ func(ci *copy.CopyInfo) { ci.Chown = ch This patch makes that step optional, and only performs `mapUserToChowner` if `action.Owner` is specified. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

thaJeztah · 2020-04-17T11:34:52Z

@tonistiigi @AkihiroSuda PTAL: no idea if this is the right fix (and if we have testing in place for user-namespaces); it's just from browsing the code and suspecting this might be the cause of the problem.

tonistiigi · 2020-04-25T01:09:16Z

solver/llbsolver/file/backend.go

-	if err != nil {
-		return err
+	var ch copy.Chowner
+	if action.Owner != nil {


this check here definitely isn't correct. First, action (including owner) is already parsed before calling this function and the result *copy.User passed to this function directly (with a nil check in map). Secondly, this object being nil doesn't carry any meaning as it is just a combination of two possibly nil pointers.

This issue looks to be regression from #1342

tonistiigi · 2020-05-08T18:34:51Z

replaced by #1477

thaJeztah mentioned this pull request Apr 17, 2020

[legacy builder] Copying non-root owned files between stages fails with userns moby/moby#34645

Open

tonistiigi reviewed Apr 25, 2020

View reviewed changes

tonistiigi mentioned this pull request May 8, 2020

file: fix double-remap of old uid value #1477

Merged

tonistiigi closed this May 8, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix COPY --from=stage when running with user-namespaces#1448

Fix COPY --from=stage when running with user-namespaces#1448
thaJeztah wants to merge 1 commit intomoby:masterfrom
thaJeztah:fix_userns_stage_copy

thaJeztah commented Apr 17, 2020

Uh oh!

thaJeztah commented Apr 17, 2020

Uh oh!

tonistiigi Apr 25, 2020

Uh oh!

tonistiigi commented May 8, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

	// optional owner override
	Owner *ChownOpt `protobuf:"bytes,3,opt,name=owner,proto3" json:"owner,omitempty"`

	ch, err := mapUserToChowner(u, idmap)
	if err != nil {
	return err
	}

	opt := []copy.Opt{
	func(ci *copy.CopyInfo) {
	ci.Chown = ch

Conversation

thaJeztah commented Apr 17, 2020

Uh oh!

thaJeztah commented Apr 17, 2020

Uh oh!

tonistiigi Apr 25, 2020

Choose a reason for hiding this comment

Uh oh!

tonistiigi commented May 8, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants