While looking at #34099, I noticed that the cp command looks up the container's user from the host, not from inside the container;
Note that this example is done on docker 17.06.0, which has the -a option "flipped"
To reproduce;
Prepare; create a directory, and a file to copy to the container;
mkdir cp-bug && cd cp-bug
echo "foobar" > test-file.txt
Build an image, containing a user/group bar/bar with uid/gid 2020;
docker build -t cp-bug -<<EOF
FROM busybox
RUN addgroup -g 2020 bar && adduser -D -u 2020 -G bar bar
EOF
Create a container, using --user bar, and copy the file into the container;
docker create --name showit --user bar cp-bug ls -lan /
docker cp -a test-file.txt showit:/
An error is printed;
Error response from daemon: getent unable to find entry "bar" in passwd database
Now, create a "bar/bar" user/group on the host, with uid/gid 1010;
echo "bar:x:1010:1010:Foo Bar,,,:/home/bar:/bin/sh" >> /etc/passwd
echo "bar:x:1010:" >> /etc/group
Create another container, copy the file, and view the file permissions;
docker create --name showit2 --user bar cp-bug ls -lan /
docker cp -a test-file.txt showit2:/
docker start showit2 && docker logs showit2
# cleanup
docker stop showit2 && docker rm showit2
total 48
drwxr-xr-x 20 0 0 4096 Jul 17 16:56 .
drwxr-xr-x 20 0 0 4096 Jul 17 16:56 ..
-rwxr-xr-x 1 0 0 0 Jul 17 16:56 .dockerenv
drwxr-xr-x 2 0 0 12288 Jun 15 00:40 bin
drwxr-xr-x 5 0 0 340 Jul 17 16:56 dev
drwxr-xr-x 2 0 0 4096 Jul 17 16:56 etc
drwxr-xr-x 3 65534 65534 4096 Jul 17 16:46 home
dr-xr-xr-x 140 0 0 0 Jul 17 16:56 proc
drwxr-xr-x 2 0 0 4096 Jun 15 00:40 root
dr-xr-xr-x 13 0 0 0 Jul 17 16:56 sys
-rw-r--r-- 1 1010 1010 7 Jul 17 16:46 test-file.txt
drwxrwxrwt 2 0 0 4096 Jun 15 00:40 tmp
drwxr-xr-x 3 0 0 4096 Jun 15 00:40 usr
drwxr-xr-x 4 0 0 4096 Jun 15 00:40 var
No error is printed, and the uid / gid of the host is used inside the container (uid/gid 1010 instead of 2020)
ping @erikh @jlhawn PTAL
FWIW, there's other issues in this functionality that I was looking into (I'll probably open separate issues for those);
docker cp is only able to parse --user <username>, not <username>:<groupname>docker cp does not work with --user <uid>:<gid> (numeric values), as it always attempts to lookup the user
While looking at #34099, I noticed that the
cpcommand looks up the container's user from the host, not from inside the container;Note that this example is done on docker 17.06.0, which has the
-aoption "flipped"To reproduce;
Prepare; create a directory, and a file to copy to the container;
Build an image, containing a user/group
bar/barwithuid/gid2020;Create a container, using
--user bar, and copy the file into the container;An error is printed;
Now, create a "bar/bar" user/group on the host, with
uid/gid1010;Create another container, copy the file, and view the file permissions;
No error is printed, and the
uid/gidof the host is used inside the container (uid/gid1010instead of2020)ping @erikh @jlhawn PTAL
FWIW, there's other issues in this functionality that I was looking into (I'll probably open separate issues for those);
docker cpis only able to parse--user <username>, not<username>:<groupname>docker cpdoes not work with--user <uid>:<gid>(numeric values), as it always attempts to lookup the user