/tmp permissions broken in some subset of multi-stage builds

[mothershipper]

Actual behavior
I have a multi-stage build using nodejs/yarn. When I install and run yarn in the second stage, the resulting /tmp folder under a docker run has the following permissions

node@2355092d5f0f:/usr/src/app$ ls -la /tmp/
total 12
drwxr-xr-x 1 root root 4096 Apr  3 22:58 .
drwxr-xr-x 1 root root 4096 Apr  3 22:58 ..
drwxr-xr-x 1 root root 4096 Apr  3 22:58 v8-compile-cache-0

Even stranger is that these permissions seem correct at every point in the build, here's the last step before CMD:

INFO[0034] RUN echo "tmp permissions - after user switch" && ls -la /tmp
INFO[0034] cmd: /bin/sh
INFO[0034] args: [-c echo "tmp permissions - after user switch" && ls -la /tmp]
tmp permissions - after user switch
total 12
drwxrwxrwt 3 root root 4096 Apr  4 00:08 .
drwxr-xr-x 1 root root 4096 Apr  4 00:08 ..
drwxr-xr-x 3 root root 4096 Apr  4 00:08 v8-compile-cache-0

Just the resulting image has the permission flags wrong for /tmp

Expected behavior

When I build the same image using Docker, the /tmp folder is left alone:

node@194d8cf3afd1:/usr/src/app$ ls -la /tmp/
total 20
drwxrwxrwt 1 root root 4096 Mar 31 03:27 .
drwxr-xr-x 1 root root 4096 Apr  3 22:59 ..
drwxr-xr-x 1 root root 4096 Mar 31 03:27 v8-compile-cache-0

To Reproduce

Full Repro:

https://github.com/mothership/kaniko-issue-repro

# builds, pushes the image to a registry of your choosing, and pulls it back down
make test-kaniko TEST_REPO=myregistry/myimage 
# does a docker run --entrypoint bash on the test image
make debug-kaniko 

You should be able to pull those images as well and inspect them locally.

Additional Information

• This only seems to affect multi-stage builds, when I collapse both stages into a single stage the issue goes away
• Yarn is already installed in the base image (node:12.16.1-slim), this repro installs the exact same version over it, but we noticed it when we tried to upgrade yarn
• Best we can tell, this isn't specific to yarn, but we've not been able to find any other way to reproduce.

Triage Notes for the Maintainers

Description	Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile

[mothershipper]

Just realized the linked repository was private, I've fixed that

[Jeiwan]

We're also having this bug but we're using a single-stage build. We're getting it in our production image in 100% of cases, thus it's not flaky. But it's hard to say what causes it exactly. We're using several dependency managers in the image (yarn being one of them) and the bug happens only when all of them are used.
I couldn't make a minimal Dockerfile that reproduces the bug because all steps from our production image seem to be needed for it to happen.

these permissions seem correct at every point in the build

We're also seeing this. The permissions are changed after image is built.

[gilbsgilbs]

I think this might be related to #1163 . You can try against #1166 to see if it fixes your issue.

[tejal29]

@mothershipper This is now fixed on master and latest kaniko release!

Please re-open if you this issue again.

[mothershipper]

Thanks @tejal29 and @gilbsgilbs, confirmed that 0.22.0 fixes the issue in our repro repository.

[Jeiwan]

It works for us too, thanks!