This relates to:
Problem statement
The COPY (and ADD) Dockerfile instructions by default reset the ownership of files added to 0:0.
While this makes sense when copying files from a build-context (users/groups on the host in most situations won't match user/group in the container), in multi-stage builds this situation may be different.
In a multi-stage build, intermediate stages are meant to prepare content/artifacts for the final stage(s) they are copied to. This preparation can include: setting the correct ownership (and permissions) of files.
Because of the current behavior of COPY, those permissions are reset, and workarounds, such as tar-ing the files before COPY-ing, then extracting the tar in the final stage (which preserves permissions and ownership as set on the files before tar-ing) are not ideal.
Proposal
I propose to preserve permissions and ownership of files/directories when COPY-ing between stages in a multi-stage build
Example
Building this Dockerfile on a current version of Docker:
FROM busybox AS one
RUN mkdir -p /foo/1-subdir \
&& touch \
/foo/4-five-six \
/foo/7-eight-nine \
&& chown -R 123:123 /foo/1-subdir \
&& chown 456:456 /foo/4-five-six \
&& chown 789:789 /foo/7-eight-nine \
&& chmod -R 0600 /foo/1-subdir \
&& chmod 0060 /foo/4-five-six \
&& chmod 0006 /foo/7-eight-nine
RUN echo "In stage one" \
&& ls -l /foo/
FROM busybox AS final
COPY --from=one /foo /bar
RUN echo "In final stage" \
&& ls -l /bar/
Produces:
In stage one
total 4
drw------- 2 123 123 4096 May 22 12:24 1-subdir
----rw---- 1 456 456 0 May 22 12:24 4-five-six
-------rw- 1 789 789 0 May 22 12:24 7-eight-nine
In final stage
total 4
drw------- 2 root root 4096 May 22 12:24 1-subdir
----rw---- 1 root root 0 May 22 12:24 4-five-six
-------rw- 1 root root 0 May 22 12:24 7-eight-nine
With the proposed changes, the final stage would look like:
In final stage
total 4
drw------- 2 123 123 4096 May 22 12:24 1-subdir
----rw---- 1 456 456 0 May 22 12:24 4-five-six
-------rw- 1 789 789 0 May 22 12:24 7-eight-nine
Question / to be discussed
COPY --from accepts both the name/number of a build-stage, as well as an image-reference:
- Should we preserve ownership/permissions when copying from an image as well? (
COPY --from myimage:latest)
- Should we add new options to make the
--from less ambiguous, and only preserve ownership/permissions when copying from other stages (i.e., add --from-stage and --from-image options)?
This relates to:
COPY --from=foo bar.tgz ...#37112COPY --from=foo bar.tgz ...Problem statement
The
COPY(andADD) Dockerfile instructions by default reset the ownership of files added to0:0.While this makes sense when copying files from a build-context (users/groups on the host in most situations won't match user/group in the container), in multi-stage builds this situation may be different.
In a multi-stage build, intermediate stages are meant to prepare content/artifacts for the final stage(s) they are copied to. This preparation can include: setting the correct ownership (and permissions) of files.
Because of the current behavior of
COPY, those permissions are reset, and workarounds, such astar-ing the files beforeCOPY-ing, then extracting the tar in the final stage (which preserves permissions and ownership as set on the files before tar-ing) are not ideal.Proposal
I propose to preserve permissions and ownership of files/directories when
COPY-ing between stages in a multi-stage buildExample
Building this Dockerfile on a current version of Docker:
Produces:
With the proposed changes, the final stage would look like:
Question / to be discussed
COPY --fromaccepts both the name/number of a build-stage, as well as an image-reference:COPY --from myimage:latest)--fromless ambiguous, and only preserve ownership/permissions when copying from other stages (i.e., add--from-stageand--from-imageoptions)?