Allow COPY command's --chown to be dynamically populated via ENV or ARG

[mavericksid]

How to use COPY --chown without losing portability (recently merged from this issue)? I'll try to explain with an example wherein I find --chown causing portability issues.

Let's say I got a base image (mybase) which I use for running other containers as non-root user (let's say with UID 1000) using gosu in ENTRYPOINT.
exec /usr/local/bin/gosu ${USER_NAME} "$@"

I use this base image (mybase) for building other container (let's say mycontainer) Dockerfile where I COPY some files from host to container using --chown

FROM mybase
RUN mkdir -p /tmp/build
COPY --chown=1000 . /tmp/build

Now I want the files generated via my build tool (from mycontainer) to be shared on a Docker Volume mapped with my host. Generated files would be available at specified host location but the owner of those files would be user with UID 1000. Doesn't this mean I'll need to have a user with UID 1000 on host machine for generated files to be accessible? Isn't there a way to provide value for --chown dynamically? I tired using ENV and ARG but they are not accessible in --chown.

ARG owner
COPY --chown=$owner . /tmp/build

it gives me an error

unable to convert uid/gid chown string to host mapping: can't find uid for user $owner: no such user: $owner

Steps to reproduce the issue:

1. Add this to Dockerfile

FROM openjdk:8

ARG owner
ADD --chown=$owner . /tmp/build/platform3

CMD echo 'test'

2. Build image
   sudo docker build -t test -f Dockerfile .

Describe the results you received:
Result of running docker build

unable to convert uid/gid chown string to host mapping: can't find uid for user $owner: no such user: $owner

Describe the results you expected:
Expected result should be to get owner information from build arguments

Output of docker version:

Client:
 Version:      17.09.0-ce
 API version:  1.32
 Go version:   go1.8.3
 Git commit:   afdb6d4
 Built:        Tue Sep 26 22:42:38 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.09.0-ce
 API version:  1.32 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   afdb6d4
 Built:        Tue Sep 26 22:41:20 2017
 OS/Arch:      linux/amd64
 Experimental: false

Output of docker info:

Containers: 1
 Running: 0
 Paused: 0
 Stopped: 1
Images: 15
Server Version: 17.09.0-ce
Storage Driver: aufs
 Root Dir: /docker/pd0/aufs
 Backing Filesystem: extfs
 Dirs: 18
 Dirperm1 Supported: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
init version: 949e6fa
Security Options:
 apparmor
Kernel Version: 3.13.0-129-generic
Operating System: Ubuntu 14.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 14.69GiB
Name: ip-172-31-35-149
ID: KR63:RIDQ:SQNY:3ESC:5OA6:4DFT:QXSB:YE6M:727G:H7O2:REIS:RSFA
Docker Root Dir: /docker/pd0
Debug Mode (client): false
Debug Mode (server): false
Username: mavericksid
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

[thaJeztah]

Now I want the files generated via my build tool (from mycontainer) to be shared on a Docker Volume mapped with my host. Generated files would be available at specified host location but the owner of those files would be user with UID 1000. Doesn't this mean I'll need to have a user with UID 1000 on host machine for generated files to be accessible?

If I understand your use-case correctly;

• the Docker container produces some artefacts; those are created by the container's process, thus are owned by the process running inside the container (e.g. 1000:50).
• your Dockerfile copies files from the host back to the image, but then has to match the user/group of the container's process?

I think the correct approach would be;

• Files inside the container (and image) have the ownership/permissions that are required inside the container. If you copy files into the container image, that user is known, so you can change the permissions to match that user
• If the container's process produces artefacts that should be accessible by other users, the permissions should be changed by that process (assuming the artefacts are created at runtime, not during docker build, this could be done by an entrypoint script that does a chmod to set the correct permissions).

Isn't there a way to provide value for --chown dynamically? I tired using ENV and ARG but they are not accessible in --chown.

I'm not sure this is the correct approach for your use-case (see my bullets above), but you can create a user that uses the desired uid/gid and --chown to that user/group:

FROM openjdk:8
ARG uid=1001
ARG gid=51

RUN addgroup --gid $gid mygroup \
 && adduser --disabled-password --gecos "" --no-create-home --uid $uid --gid $gid myuser
COPY --chown=myuser:mygroup . /tmp/build/platform3

Also see #34482, and #34819 which may be relevant

[lmakarov]

I have the same issue - COPY --chown does not understand variables set via ENV or ARG earlier in the Dockerfile:

...
ARG AGENT_USER=agent
ARG AGENT_HOME=/home/agent
...
COPY --chown=$AGENT_USER:$AGENT_USER config/.ssh/config $AGENT_HOME/.ssh/config
...

This results in:

...
Step 15/16 : COPY --chown=$AGENT_USER:$AGENT_USER config/.ssh/config ${AGENT_HOME}/.ssh/config
unable to convert uid/gid chown string to host mapping: can't find uid for user $AGENT_USER: no such user: $AGENT_USER

If I hardcode the values, then everything works:

...
ARG AGENT_USER=agent
ARG AGENT_HOME=/home/agent
...
COPY --chown=agent:agent config/.ssh/config $AGENT_HOME/.ssh/config
...