Docker build cache does not ignore uid/gid on ADD or COPY

[jtprobst]

The uid/gid of a file (on the build host's filesystem) seem to have an effect on the hash of a file when it is added through ADD or COPY. This seems superfluous since the ownership of the added file is reset to uid=gid=0 in the Docker image.

This behaviour may lead to the Docker build cache being busted in continuous integration environments, if uid/gid are different across different build nodes.

For a minimum working example, please consider the following example where an image is built twice, the second time with different ownership of a COPY'd file.

Please note

• The hashes of the added file are different as per docker history
• The ownership is reset to uid=gid=0 inside the image, as stated in the documentation for ADD ("All new files and directories are created with a UID and GID of 0.")

$ ls -lah
total 8,0K
drwxrwxr-x 1 jprobst jprobst   36 Apr 25 18:08 .
drwxrwxrwx 1 jprobst jprobst 6,4K Apr 25 17:15 ..
-rw-rw-r-- 1 jprobst jprobst   44 Apr 25 18:08 Dockerfile
-rwxrwxrwx 1 jprobst jprobst    5 Apr 25 17:15 test.txt

$ cat Dockerfile 
FROM ubuntu:16.04

COPY test.txt /test.txt

$ docker build -t demo .
Sending build context to Docker daemon  3.072kB
Step 1/2 : FROM ubuntu:16.04
 ---> 104bec311bcd
Step 2/2 : COPY test.txt /test.txt
 ---> ea497fe942a0
Removing intermediate container 16753a7ab82b
Successfully built ea497fe942a0

$ docker history demo
IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
ea497fe942a0        17 seconds ago      /bin/sh -c #(nop) COPY file:db60da90f31b3b...   5B                  
104bec311bcd        4 months ago        /bin/sh -c #(nop)  CMD ["/bin/bash"]            0B                  
<missing>           4 months ago        /bin/sh -c mkdir -p /run/systemd && echo '...   7B                  
<missing>           4 months ago        /bin/sh -c sed -i 's/^#\s*\(deb.*universe\...   1.9kB               
<missing>           4 months ago        /bin/sh -c rm -rf /var/lib/apt/lists/*          0B                  
<missing>           4 months ago        /bin/sh -c set -xe   && echo '#!/bin/sh' >...   745B                
<missing>           4 months ago        /bin/sh -c #(nop) ADD file:7529d28035b43a2...   129MB               

$ sudo chown 1001:1001 test.txt

$ ls -lah
total 8,0K
drwxrwxr-x 1 jprobst jprobst   36 Apr 25 18:08 .
drwxrwxrwx 1 jprobst jprobst 6,4K Apr 25 17:15 ..
-rw-rw-r-- 1 jprobst jprobst   44 Apr 25 18:08 Dockerfile
-rwxrwxrwx 1    1001    1001    5 Apr 25 17:15 test.txt

$ docker build -t demo .
Sending build context to Docker daemon  3.072kB
Step 1/2 : FROM ubuntu:16.04
 ---> 104bec311bcd
Step 2/2 : COPY test.txt /test.txt
 ---> 43cb126c18bb
Removing intermediate container 4e729efe09bb
Successfully built 43cb126c18bb

$ docker history demo
IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
43cb126c18bb        14 seconds ago      /bin/sh -c #(nop) COPY file:f9b82392428347...   5B                  
104bec311bcd        4 months ago        /bin/sh -c #(nop)  CMD ["/bin/bash"]            0B                  
<missing>           4 months ago        /bin/sh -c mkdir -p /run/systemd && echo '...   7B                  
<missing>           4 months ago        /bin/sh -c sed -i 's/^#\s*\(deb.*universe\...   1.9kB               
<missing>           4 months ago        /bin/sh -c rm -rf /var/lib/apt/lists/*          0B                  
<missing>           4 months ago        /bin/sh -c set -xe   && echo '#!/bin/sh' >...   745B                
<missing>           4 months ago        /bin/sh -c #(nop) ADD file:7529d28035b43a2...   129MB               

$ docker run -t demo ls -lah /test.txt
-rwxrwxrwx 1 root root 5 Apr 25 15:15 /test.txt

[tonistiigi]

I agree the current behavior doesn't make much sense but there have been plenty of discussions about relaxing the restrictions of COPY/ADD and we couldn't support that then because we need to compute the cache key before the COPY commands for optimization.

In this case I would maybe consider instead setting the uid/gid already to 0 on the client side. We are switching from one list of users to another so these uid-s on the client side don't make much sense in the container anyway(they can make sense for API usage). wdyt @dnephin @duglin

[duglin]

If we change the uid to zero on the client will that result in a change of behavior with the new ability to access the context via a mount during the build? The uids on those files will now be different, right?

[tonistiigi]

@duglin We don't have this ability yet. Actually, it may make even more sense then as otherwise if you mount user context you will have files with weird uids there, that always need to be chowned by the user.

[duglin]

yea, wasn't implying it made sense, I just didn't want to change existing behavior w/o considering the impact.

[dnephin]

I think we already set all files to 755 on the windows client, so setting uid/gid sounds like a similar idea. I'm fine with it. I agree that breaking the cache when the user running the build has a different id doesn't make much sense.

[thaJeztah]

Wasn't there discussion about preserving the uid/gid when ADD / COPY files? If we reset now, that would block having that as an option in future.

[tonistiigi]

@thaJeztah Do you have a link? The API would still support that.

[thaJeztah]

@tonistiigi hm, must to a search for that discussion (there may have been a couple)

[jtprobst]

@thaJeztah Are you referring to these discussions: moby/buildkit#4242 and #28499?

[jackric]

Bumping this because I want #28499

[shouze]

Guys, today docker builds is cool and work as expected ** on the same machine ** since we have:

• Efficient build contexts with .dokerignore (almost since the begining, can not figure out with PR)
• mtime ignored during COPY Make build cache ignore mtime #12031
• multi stage builds build: add multi-stage build support #31257
• --cache-from to avoid cache busting Implement build cache based on history array #26839

But ... it's almost a pity when you build and push pictures on some ci machine / cluster and then pull them locally and get disappointed when at the first rebuild cache gets invalidated even if changes you've made should not trigger so much invalidations.

So yes discussions are running after few months and 2 options seems to compete:

• RUN --mount builder: Proposal: Add support for RUN --mount #32507
• COPY --chown USER and Layers Discussion #30110

I guess to 2 could be implemented at some point, the more pragmatic one is definitely COPY --chown

it would of course transform this:

COPY app ./app
USER root
RUN chown -R node:node ./app
USER node

into this:

COPY --chown node:node app ./app

But the best thing would be to get it fix this #32816 too, so much time avoided to build again & again, would be a very big win.