Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unpack permissions incorrect #218

Open
AdamSimpson opened this issue Jul 8, 2019 · 4 comments
Open

unpack permissions incorrect #218

AdamSimpson opened this issue Jul 8, 2019 · 4 comments

Comments

@AdamSimpson
Copy link

AdamSimpson commented Jul 8, 2019
edited
Loading

I have run across an issue in another project that uses image-tools, sylabs/singularity#3880, that looks to be caused by image-tools failing to unpack files with the correct permissions. The issue appears when building from a Dockerfile when a file is created in one layer and then in a subsequent layer the permissions are modified. In this case it looks like the unpacked image has the original file permissions and the updated permissions are ignored.

Dockerfile

FROM ubuntu
RUN mkdir -m 700 /foobar
RUN chmod 755 /foobar

Building the image and verifying the permissions

$ docker build -t permission:test .
$ docker run permission:test ls -ld /foobar
drwxr-xr-x 1 root root 4096 Jul  7 02:43 /foobar

Copy the image with skopeo

$ skopeo copy docker-daemon:permission:test oci:permission:test

Verify permissions are correct with umoci

$ sudo umoci unpack --image permission:test permission_umoci
$ sudo ls -ld permission_umoci/rootfs/foobar
drwxr-xr-x 2 root root 4096 Jul  6 19:43 permission_umoci/rootfs/foobar

Permissions are incorrect with image-tools

$ oci-image-tool unpack --ref name=test permission permission_oit
$ ls -ld permission_oit/foobar
drwx------ 2 asimpson asimpson 4096 Jul  6 19:43 permission_oit/foobar
@AdamSimpson AdamSimpson mentioned this issue Jul 8, 2019
Closed
@cyphar
Copy link
Member

cyphar commented Jul 9, 2019

I would suggest using https://github.com/openSUSE/umoci instead -- image-tools has historically had many problems with unpacking things correctly and is the main reason I ended up writing umoci. It's used by quite a few other projects as well (within openSUSE we use it to build our container images, it's used by LXC as a method of getting OCI support, and there are tools built on-top of umoci like CISCO's stacker).

@cyphar
Copy link
Member

cyphar commented Jul 9, 2019
edited
Loading

Oh sorry, I didn't notice you already mentioned you tested against umoci. 😉 I could look into porting image-tools to umoci (the underlying libraries should be fairly reusable -- I know a few folks that are reusing it).

@AdamSimpson
Copy link
Author

Thanks @cyphar, it looks like the Singularity devs are looking into integrating umoci. From what I could see this should be relatively straight forward.

@dtrudg dtrudg mentioned this issue Oct 16, 2019
Closed
@cyphar
Copy link
Member

cyphar commented Jun 22, 2020

This project is no longer actively maintained. However, umoci is a much more full-featured tool for manipulating OCI images, and is now an OCI project as a reference implementation of the OCI image-spec. I would strongly suggest people move to using umoci.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cyphar @AdamSimpson