Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

USER command should not require user or group IDs to exist #1778

Closed
chickeaterbanana opened this issue Oct 19, 2021 · 2 comments
Closed

USER command should not require user or group IDs to exist #1778

chickeaterbanana opened this issue Oct 19, 2021 · 2 comments
Labels
area/permissions area/uid categorized differs-from-docker kind/bug Something isn't working kind/friction ok-to-close? possible-dupe priority/p1 Basic need feature compatibility with docker build. we should be working on this next. works-with-docker

Comments

@chickeaterbanana
Copy link

chickeaterbanana commented Oct 19, 2021
edited
Loading

Actual behavior
see also #477

Expected behavior
docker image should be build.

To Reproduce

  1. create a empty folder
  2. create a file test1 with following content:
FROM alpine
USER 1001
RUN echo 1
  1. run docker run --pull always --rm -it -v $PWD:/workspace gcr.io/kaniko-project/executor:latest --dockerfile=test1 --no-push --context=dir:///workspace
  2. run docker run --pull always --rm -it -v $PWD:/workspace gcr.io/kaniko-project/executor:debug --dockerfile=test1 --no-push --context=dir:///workspace

Results:

docker run --pull always --rm -it -v $PWD:/workspace gcr.io/kaniko-project/executor:debug --dockerfile=test1 --no-push --context=dir:///workspace                                              
Trying to pull gcr.io/kaniko-project/executor:debug...                                                                                                                                                             
Getting image source signatures                                                                                                                                                                                    
Copying blob fe2d5f51c3f2 skipped: already exists                                                                                                                                                                  
Copying blob d044254b2a54 skipped: already exists                                                                                                                                                                  
Copying blob ee2c784f1c11 skipped: already exists                                                                                                                                                                  
Copying blob 13e1a61a0623 skipped: already exists                                                                                                                                                                  
Copying blob 6566d8138b04 skipped: already exists                                                                                                                                                                  
Copying blob 981fc7edb8fd skipped: already exists                                                                                                                                                                  
Copying blob 3d8068545002 skipped: already exists                                                                                                                                                                  
Copying blob 8f137c16aecd skipped: already exists                                                                                                                                                                  
Copying blob 1e1b51c21c3c skipped: already exists                                                                                                                                                                  
Copying blob ddd1314b2f82 [--------------------------------------] 0.0b / 0.0b                                                                                                                                     
Copying config 7053f62a27 done                                                                                                                                                                                     
Writing manifest to image destination                                                                                                                                                                              
Storing signatures                                                                                                                                                                                                 
INFO[0000] Retrieving image manifest alpine                                                                                                                                                                        
INFO[0000] Retrieving image alpine from registry index.docker.io                                                                                                                                                   
INFO[0001] Built cross stage deps: map[]                                                                                                                                                                           
INFO[0001] Retrieving image manifest alpine                                                                                                                                                                        
INFO[0001] Returning cached image manifest                                                                                                                                                                         
INFO[0001] Executing 0 build triggers                                                                                                                                                                              
INFO[0001] Unpacking rootfs as cmd RUN echo 1 requires it.                                                                                                                                                         
INFO[0002] USER 1001                                                                                                                                                                                               
INFO[0002] cmd: USER                                                                                                                                                                                               
INFO[0002] RUN echo 1                                                                                                                                                                                              
INFO[0002] Taking snapshot of full filesystem...                                                                                                                                                                   
INFO[0003] cmd: /bin/sh                                                                                                                                                                                            
INFO[0003] args: [-c echo 1]                                                                                                                                                                                       
error building image: error building stage: failed to execute command: credentials: get uid/gid: user: unknown user 1001

Additional Information

  • Dockerfile
FROM alpine
USER 1001
RUN echo 1
  • Build Context
ls
test1
  • Kaniko Image (fully qualified with digest)
    gcr.io/kaniko-project/executor latest 1c812ffa8ec1 5 months ago 78 MB
    gcr.io/kaniko-project/executor debug 7053f62a27a8 5 months ago 117 MB

Triage Notes for the Maintainers

podman build -f test1
STEP 1/3: FROM alpine
STEP 2/3: USER 1001
--> ea606981a11
STEP 3/3: RUN echo 1
1
COMMIT
--> 4e089a5b588
4e089a5b5880156b1bb07a18cb42ffd2b35a76d17335445a05187d112e2a8f40
Description Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile
@acouvreur
Copy link

I have the same issue, but in my case :

Description Yes/No
Please check if the build works in docker but not in kaniko Yes
Please check if this error is seen when you use --cache flag Yes
Please check if your dockerfile is a multistage dockerfile Yes

My Dockerfile is the following :

FROM adoptopenjdk/openjdk8:alpine-jre

RUN apk --no-cache add curl tzdata
ENV TZ Europe/Paris
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone

EXPOSE 8080

COPY /docker-entrypoint.sh .
RUN chmod +x /docker-entrypoint.sh 

WORKDIR /app

RUN addgroup -S spring && adduser -S spring -G spring
RUN chown spring:spring -R /app /docker-entrypoint.sh
USER spring:spring
ARG JAR_FILE=target/*.jar
COPY --chown=spring:spring ${JAR_FILE} app.jar

HEALTHCHECK CMD curl -v --silent http://localhost:8080/api/actuator/health 2>&1 | grep UP

ENTRYPOINT ["/docker-entrypoint.sh", "java","-jar","/app/app.jar"]
CMD []

The command is :

/kaniko/executor -f Dockerfile '--cache=true' --reproducible --label 'org.opencontainers.image.revision=<redacted>' --label 'org.opencontainers.image.source=<redacted>' --label 'org.opencontainers.image.created=2021-10-22T14:22:34.579Z' '--destination=<redacted>' '--build-arg=revision=<redacted>' '--build-arg=source=<redacted>' '--build-arg=created=2021-10-22T14:22:34.579Z' '--build-arg=version=<redacted>' '--build-arg=TAG_NAME=<redacted>'

The logs are

Using dockerignore file: /home/jenkins/agent/workspace/<redacted>/<redacted>/.dockerignore 
Retrieving image manifest adoptopenjdk/openjdk8:alpine-jre 
Retrieving image adoptopenjdk/openjdk8:alpine-jre from registry index.docker.io 
Retrieving image manifest adoptopenjdk/openjdk8:alpine-jre 
Returning cached image manifest              
Built cross stage deps: map[]                
Retrieving image manifest adoptopenjdk/openjdk8:alpine-jre 
Returning cached image manifest              
Retrieving image manifest adoptopenjdk/openjdk8:alpine-jre 
Returning cached image manifest              
Executing 0 build triggers                   
Checking for cached layer <redacted>:b73234095043d88124f351ad54376df74140fc2676c496193dec0b37f7a2e869... 
Using caching version of cmd: RUN apk --no-cache add curl tzdata 
Checking for cached layer <redacted>:a19f9b09febabc68d36439dfe6331b9e4d4f394463f77dca5ba96fa517bc5554... 
Using caching version of cmd: RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone 
cmd: EXPOSE                                  
Adding exposed port: 8080/tcp                
Checking for cached layer <redacted>:449f9aae58168a48b88ac5d41c2b58d2b770a62fc991e8df3bb8860816735d82... 
Using caching version of cmd: RUN chmod +x /docker-entrypoint.sh 
Checking for cached layer <redacted>:71e13f3f2780ac3b90acbfac2d736f2ed740886a180298c59a3dd480540bf694... 
Using caching version of cmd: RUN addgroup -S spring && adduser -S spring -G spring 
Checking for cached layer <redacted>:103957311e10254e1e53f6c64a041a44ccf9b52c50b1f55718a50358e8c394d2... 
Using caching version of cmd: RUN chown spring:spring -R /app /docker-entrypoint.sh 
cmd: USER                                    
Resolving srcs [target/*.jar]...             
Unpacking rootfs as cmd COPY /docker-entrypoint.sh . requires it. 
RUN apk --no-cache add curl tzdata           
Found cached layer, extracting to filesystem 
ENV TZ Europe/Paris                          
No files changed in this command, skipping snapshotting. 
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone 
Found cached layer, extracting to filesystem 
EXPOSE 8080                                  
cmd: EXPOSE                                  
Adding exposed port: 8080/tcp                
No files changed in this command, skipping snapshotting. 
COPY /docker-entrypoint.sh .                 
Taking snapshot of files...                  
RUN chmod +x /docker-entrypoint.sh           
Found cached layer, extracting to filesystem 
WORKDIR /app                                 
cmd: workdir                                 
Changed working directory to /app            
Creating directory /app                      
Taking snapshot of files...                  
RUN addgroup -S spring && adduser -S spring -G spring 
Found cached layer, extracting to filesystem 
RUN chown spring:spring -R /app /docker-entrypoint.sh 
Found cached layer, extracting to filesystem 
USER spring:spring                           
cmd: USER                                    
No files changed in this command, skipping snapshotting. 
ARG JAR_FILE=target/*.jar                    
No files changed in this command, skipping snapshotting. 
Resolving srcs [target/*.jar]...             
COPY --chown=spring:spring ${JAR_FILE} app.jar 
 error building stage: failed to execute command: getting user group from chown: user: unknown user spring

Sometimes, it fails when adding the group :

Running: [/bin/sh -c addgroup -S spring && adduser -S spring -G spring] 
addgroup: group 'spring' in use

And I can't figure out why. It always work using docker CLI.

@aaron-prindle aaron-prindle added differs-from-docker works-with-docker priority/p1 Basic need feature compatibility with docker build. we should be working on this next. area/permissions area/uid kind/bug Something isn't working kind/friction labels Jun 15, 2023
@aaron-prindle
Copy link
Collaborator

Closing as a dupe of #477

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/permissions area/uid categorized differs-from-docker kind/bug Something isn't working kind/friction ok-to-close? possible-dupe priority/p1 Basic need feature compatibility with docker build. we should be working on this next. works-with-docker
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chickeaterbanana @aaron-prindle @acouvreur