Jib: When adding file layers, parent directories ownership is changed to root

Created on 23 Sep 2020  路  5Comments  路  Source: GoogleContainerTools/jib

Jib Core Version 0.15.0

Building Linux Image

In my scenario, let's say my base image has a directory 'testdir' with owner 'user123'

$ ls -l
drwxr-xr-x 2 user123 user123 4096 May 29 14:20 testdir

I am building images and adding file layers like below. File layer added is just an empty directory. Assume 1200 uid maps to user123 in my base image.

addFileEntriesLayer(FileEntriesLayer.builder().addEntry(path,AbsoluteUnixPath.fromPath(Paths.get("/testdir/subdir")),
FilePermissions.DEFAULT_FOLDER_PERMISSIONS, FileEntriesLayer.DEFAULT_MODIFICATION_TIME,"1200:1200")

Result image will have /testdir/subdir with owner 'user123', but /testdir owner will have been changed to owner 'root'. I do not expect the owner of parent directory /testdir to change. Is this a bug or is this as designed?

I tried using JibContainerBuilder.setUser, but that only sets the user to run container as. It doesn't seem to set user when building the container and adding file layers. This is a problem especially if a file layer I am adding has multiple parent directories. All the parent directories ownership gets changed to root. I can workaround this by adding file layers for all parent directories with ownership set as user123. However I can see a potential issue with this if I am unaware of correct ownership/file permissions of parent directories.

picture infa-bchao

All 5 comments

Hi @infa-bchao,

It's a known issue (#1270). Currently we are intentionally overwriting parent directories after we've observed an issue that parent directories that do not exist in the base image result in inaccessible permissions (i.e., no read, write, or executable permissions). We decided to automatically set the permissions of those directories to 0755, and then the side effect became root owning the directories. We've not found a good solution to this issue.

I tried using JibContainerBuilder.setUser, but that only sets the user to run container as. It doesn't seem to set user when building the container and adding file layers.

This is the expected behavior.

chanseokoh picture chanseokoh on 23 Sep 2020
👍1

Hi @chanseokoh

Something else I noticed and wondering if you have some sort of explanation for it. Based on my testing, it seems like the order in which I add file layers matters for setting ownership of parent directories.

Case where I add parent directory file layer first, then behavior is as expected and ownership of parent directory /dir is 1200.

        .addFileEntriesLayer(
            FileEntriesLayer.builder()
                .addEntry(
                    emptyDir,
                    AbsoluteUnixPath.fromPath(Paths.get("/dir")),
                    FilePermissions.DEFAULT_FOLDER_PERMISSIONS,
                    FileEntriesLayer.DEFAULT_MODIFICATION_TIME,
                    "1200:1200")
                .addEntry(
                    emptyDir,
                    AbsoluteUnixPath.fromPath(Paths.get("/dir/subdir")),
                    FilePermissions.DEFAULT_FOLDER_PERMISSIONS,
                    FileEntriesLayer.DEFAULT_MODIFICATION_TIME,
                    "1200:1200")

Case where I add parent directory file layer after, then parent directory /dir ownership will be set to root.

        .addFileEntriesLayer(
            FileEntriesLayer.builder()
                .addEntry(
                    emptyDir,
                    AbsoluteUnixPath.fromPath(Paths.get("/dir/subdir")),
                    FilePermissions.DEFAULT_FOLDER_PERMISSIONS,
                    FileEntriesLayer.DEFAULT_MODIFICATION_TIME,
                    "1200:1200")
                .addEntry(
                    emptyDir,
                    AbsoluteUnixPath.fromPath(Paths.get("/dir")),
                    FilePermissions.DEFAULT_FOLDER_PERMISSIONS,
                    FileEntriesLayer.DEFAULT_MODIFICATION_TIME,
                    "1200:1200")
infa-bchao picture infa-bchao on 24 Sep 2020

That is also another side effect of Jib automatically creating tar entries for parent directories.

At some later stage, we establish a "reproducible layer" which lists the tar entries in sorted order without duplication. For example, if you add an entry /foo.txt twice but with different properties, the first /foo.txt will be the entry that goes into a tar.

For the second case above, because you added /dir/subdir first, Jib automatically creates a tar entry for /dir first. So, the next addEntry() to add /dir gets ignored, as /dir is already added to the "reproducible layer." OTOH, for the first case, you added /dir yourself first, so Jib doesn't automatically add /dir.

chanseokoh picture chanseokoh on 24 Sep 2020
👍1

FTR: for the comment above, we actually have another open issue: #1650

chanseokoh picture chanseokoh on 25 Sep 2020
👍1

@infa-bchao Closing this issue since it is a duplicate of #1270 and #1650.

mpeddada1 picture mpeddada1 on 7 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bspradling picture bspradling  路  7Comments
maxbrunet picture maxbrunet  路  4Comments
anuraaga picture anuraaga  路  6Comments
devinrsmith picture devinrsmith  路  7Comments
anthonydahanne picture anthonydahanne  路  4Comments