docker cp -a broken in 24.0

[ndeloof]

Description

docker copy with archive mode enabled is broken in 24.0

Reproduce

$ docker run --name test --user 1000 alpine
$ docker cp -a foo.txt test:/
Error response from daemon: Could not find the file / in container test

Expected behavior

copy is successful

docker version

Client:
 Version:      unknown-version
 API version:  1.30
 Go version:   go1.20.4
 Git commit:   unknown-commit
 Built:        unknown-buildtime
 OS/Arch:      linux/arm64

Server:
 Version:      dev
 API version:  1.43 (minimum version 1.12)
 Go version:   go1.20.4
 Git commit:   659604f9ee
 Built:        Fri Jun  9 08:45:12 2023
 OS/Arch:      linux/arm64
 Experimental: false

docker info

Containers: 1
 Running: 0
 Paused: 0
 Stopped: 1
Images: 1
Server Version: dev
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Using metacopy: false
 Native Overlay Diff: true
 userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: crun io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 1677a17964311325ed1c31e2c0a3589ce6d5c30d
runc version: v1.1.7-0-g860f061
init version: de40ad0
Security Options:
 seccomp
  WARNING: You're not using the default seccomp profile
  Profile: builtin
 cgroupns
Kernel Version: 5.15.49-linuxkit-pr
Operating System: Debian GNU/Linux 11 (bullseye) (containerized)
OSType: linux
Architecture: aarch64
CPUs: 5
Total Memory: 7.667GiB
Name: f0200a2aa625
ID: bf489987-0cf4-44df-b671-abd8b8b67076
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 25
 Goroutines: 41
 System Time: 2023-06-09T09:07:02.540923671Z
 EventsListeners: 0
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional Info

I ran this issue in Moby development container with a debugger attached

When docker cp uses copyGUID flag set to true, engine need to resolve configured user ID in callGetent by running /usr/bin/getent passwd 1000
I can run this exact same command in moby dev container:

root@f0200a2aa625:/go/src/github.com/docker/docker# /usr/bin/getent passwd 1000
unprivilegeduser:x:1000:999::/home/unprivilegeduser:/bin/sh

but from daemon code, running this command with os.exec.Run fails with error:

fs.PathError {
Op = {string} "open"
Path = {string} "/dev/null"
Err = {error | syscall.Errno} github.com/docker/docker/vendor/github.com/cilium/ebpf/internal/unix.ENOENT (2)
}

this is caused by stdin being set to nil for this command, so /dev/null is used instead (https://github.com/golang/go/blob/master/src/os/exec/exec.go#L491) and os.Open(os.DevNull) triggers this weird error

[shantanoo-desai]

@ndeloof coming from the Docker Compose issue (docker/compose#10663); what will be the immediate impact here?

will the user parameter value under a respective service use the user ID of the host machine (as previously), or is this value meant to be the user name within the container?