Add --chown flag to Dockerfile ADD and COPY

[duglin]

Carrying #27303 since Kara is off doing other exciting things.

• What Kara did
  Add a --chown flag to Dockerfile ADD and COPY instructions, proposed by Proposal: Implement --user flag for COPY and ADD #13600

• How Kara did it
  Added flag to add and disptachCopy of builder/dockerfile/dispatchers.go, and passed the relevant information through to the daemon which looks up the user/group using a new function on the container object.

• How to verify it
  Create a Dockerfile that uses the --chown flag on an ADD or COPY instruction, and check that the file is listed as having the appropriate owner

• Description for the changelog
  add --chown flag to Dockerfile ADD and COPY instructions

2nd commit is just a rebase.

Signed-off-by: Doug Davis dug@us.ibm.com

[lowenna]

See #28594 (comment).

[jrusiecki]

I understand this solves duplication layer when changing owner, but it does not solve layer duplication needed for chmod +x (which is in my case needed on 60% of COPY/ADD in most images) ?

[lauripiisang]

/cc @thaJeztah I've seen you create similar issues and provide feedback, maybe you can help cc in the right people to get this merged ?

[thaJeztah]

Let's move this to code review

[tianon]

If --chmod might come later, would it make sense to call this --chown instead of --user to make it more clear what it's doing?

[duglin]

did someone suggest a chmod option? I missed that

[tianon]

It's been discussed a few times for similar reasons to wanting to control the user, and there's a comment on this PR asking about it specifically. :smile: #28499 (comment)

[duglin]

doi - sorry I missed that. I was scanning too quickly.

[jrusiecki]

I need ADD extension to use instead of:
run wget ... | chmod +x ...
which is superior (layer-wise) to

ADD ...
run chmod +x ...

Thus without +x option ADD is useless anyway (if I already have run... I put there also non-executables so will not use COPY/ADD even for --user option).
COPY would benefit from +x too (although file copied from linux is probably already +x) as it would improve quality by clearly stating +x so to limit errors.

[ghost]

+1

[duglin]

@tianon which would be better:
--user && --mode
or
--chown && --chmod
?

The 2nd feels a little like we're trying to expose our implementation detail (changing things after the fact vs setting the properties on the files during creation) - when the end user should just care about the properties having the right values regardless of how they are set.

[tianon]

Hmm, good point, but --user is already in use for changing the runtime user, so potentially confusing double usage. For what it's worth, rsync uses --chown and --chmod:

     --chown=USER:GROUP      simple username/groupname mapping
     --chmod=CHMOD           affect file and/or directory permissions

In my mind, the argument for --chown and --chmod is that normally, ADD/COPY try as hard as possible to preserve the source ownership/permissions, so the "change" implied by --chmod and --chown as the name is referring to the change which has to happen during the copy (ie, "copy XYZ, but change the owner to ABC").

[glensc]

i'm also proposing DEFATTR so that if you use multiple COPY or ADD you don't have to repeat the options:

DEFATTR chown=USER
DEFATTR chown=USER:GROUP
DEFATTR chown=UID
DEFATTR chown=UID:GID

chmod is a bit tricky because you definetely want different permissions for files and dirs:

DEFATTR chmod=a+rX
DEFATTR chmod=a+X

these would rise the x bit only if x bit is present for any of the users: chmod(1):

execute/search only if the file is a directory or already has execute permission for some user (X)

or more clearer directives for different kinds:

DEFATTR dir_chmod=0755 file_chmod=0644

[thaJeztah]

@glensc could you open a separate issue for that proposal? Also, would be worth describing how it should interact with different commands that take options (just for illustration, if LABEL would take --chown as an option).

[duglin]

@tianon ok - will go with --chown.

I'd prefer to leave --chmod for another PR because I think more thinking needs to go into that.

I have a high-order question for people.... if we were developing docker build from scratch would we have a --chown flag at all on ADD/COPY or would we have USER impact subsequent RUN, ADD and COPY commands? I'm asking because @glensc's latest comment got me wondering if normally people would have expected USER to have a broader impact than it does today. I'm not suggesting we break backwards compatibility, but I am wondering if instead of a flag on ADD/COPY we should consider a flag on USER instead - something like: USER --chown john:mygroup. This would mean use john:mygroup for all subsequent RUN commands (as well as the CMD) like it does today, but also use john:mygroup on all subsequent ADD/COPY commands too - which is probably what most newbies would have expected anyway.

To be clear, the --chown flag doesn't take any args, the john:mygroup is the normal USER arg. Perhaps --chown isn't the best word since it might be mentally parsed incorrectly, so perhaps --copy instead - dunno, I'm open to other words.

thoughts?

[jrusiecki]

I've copied my comments to moby/buildkit#4242.

[jazoom]

This still isn't in the docs. Is it used like this?

COPY from.txt /to.txt --chown someuser

[cpuguy83]

@jazoom This is not merged.

[dmytroleonenko]

Looking for the solution for ages. Subscribed

[dnephin]

These two branches are nearly identical. Could you move most of this line out of the branch, and leave only the inner most fmt.Sprintf() in the branch?

[dnephin]

This looks awfully similar to the branch above (that I commented on).

How about a function for this? The #(nop) prefix could be an arg.

[dnephin]

I believe this call always returns an err on windows, which means this new flag would not work for the windows builder.

Are we ok with that?

[dnephin]

Needs a rebase as well

[dnephin]

@duglin Thanks for working on this!

It seems this PR hasn't seen any activity in 4 weeks. I'm going to close the PR since there is no activity. If/when you have time to rebase, and respond to the comments please feel free to re-open it (or ping me and I can).

[duglin]

@dnephin this hasn't been touched in a while because people asked for the discussion to be moved over to: #30110

I can rebase now if we want but we really need #30110 to be done/discussed first.

[dnephin]

Ok, let's reopen once the discussion in #30110 has produced some results

[italomaia]

I'm unsure how #32816 is blocking this issue. To some extent, they seem unrelated as the problem of 32816 is related to the source, right? This PR seems so helpful it hurts to see it goes by closed for another week.

[thaJeztah]

reopening (again) following #30110 (comment), but probably needs a bit of rewriting

[thaJeztah]

(make that a lot of rewriting LOL)

[estesp]

I can carry this if that's helpful to @duglin?

[duglin]

go for it! thanks @estesp

[estesp]

Carried in #34263