Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix#2122 #2125

Closed
wants to merge 4 commits into from
Closed

Fix#2122 #2125

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c5689b3
to support noroot container to run some basic Dockerfile
BobbyNie Jun 6, 2022
2fc4f53
Do not call os.Chown when both DoNotChangeUID and DoNotChangeGID
BobbyNie Jun 6, 2022
85054b4
set home to /kaniko
BobbyNie Jun 7, 2022
b63676b
fix compile bug
BobbyNie Jun 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions deploy/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/doc
RUN go install github.com/chrismellard/docker-credential-acr-env@09e2b5a8ac86c3ec347b2473e42b34367d8fa419

# Add .docker config dir
RUN mkdir -p /kaniko/.docker
RUN mkdir -m 777 -p /kaniko/.docker

COPY . .
RUN \
Expand All @@ -50,15 +50,15 @@ RUN \
cat /etc/ssl/certs/* > /ca-certificates.crt

FROM scratch
COPY --from=0 /src/out/executor /kaniko/executor
COPY --from=0 --chmod=777 /src/out/executor /kaniko/executor
COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=0 /usr/local/bin/docker-credential-acr-env /kaniko/docker-credential-acr-env
COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/
COPY --from=0 /kaniko/.docker /kaniko/.docker
COPY files/nsswitch.conf /etc/nsswitch.conf
ENV HOME /root
ENV USER root
ENV HOME /kaniko
#ENV USER root
ENV PATH /usr/local/bin:/kaniko
ENV SSL_CERT_DIR=/kaniko/ssl/certs
ENV DOCKER_CONFIG /kaniko/.docker/
Expand Down
37 changes: 27 additions & 10 deletions pkg/util/fs_util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -331,7 +331,7 @@ func ExtractFile(dest string, hdr *tar.Header, tr io.Reader) error {
return err
}

if err = setFilePermissions(path, mode, uid, gid); err != nil {
if err = setFilePermissions(path, mode, int64(uint32(uid)), int64(uint32(gid))); err != nil {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if err = setFilePermissions(path, mode, int64(uint32(uid)), int64(uint32(gid))); err != nil {
if err = setFilePermissions(path, mode, int64(uid), int64(gid)); err != nil {

return err
}

Expand Down Expand Up @@ -554,7 +554,7 @@ func CreateFile(path string, reader io.Reader, perm os.FileMode, uid uint32, gid
if _, err := io.Copy(dest, reader); err != nil {
return errors.Wrap(err, "copying file")
}
return setFilePermissions(path, perm, int(uid), int(gid))
return setFilePermissions(path, perm, int64(uid), int64(gid))
}

// AddVolumePath adds the given path to the volume ignorelist.
Expand Down Expand Up @@ -599,6 +599,11 @@ func DownloadFileToDest(rawurl, dest string, uid, gid int64) error {
// DetermineTargetFileOwnership returns the user provided uid/gid combination.
// If they are set to -1, the uid/gid from the original file is used.
func DetermineTargetFileOwnership(fi os.FileInfo, uid, gid int64) (int64, int64) {

if uid <= DoNotChangeUID && gid <= DoNotChangeGID {
return uid, gid // do not need to do chown
}

if uid <= DoNotChangeUID {
uid = int64(fi.Sys().(*syscall.Stat_t).Uid)
}
Expand Down Expand Up @@ -791,20 +796,32 @@ func mkdirAllWithPermissions(path string, mode os.FileMode, uid, gid int64) erro
if err := os.MkdirAll(path, mode); err != nil {
return err
}
if uid > math.MaxUint32 || gid > math.MaxUint32 {
// due to https://github.com/golang/go/issues/8537
return errors.New(fmt.Sprintf("Numeric User-ID or Group-ID greater than %v are not properly supported.", uint64(math.MaxUint32)))
}
if err := os.Chown(path, int(uid), int(gid)); err != nil {

if err := conditionalChown(path, uid, gid); err != nil {
return err
}

// In some cases, MkdirAll doesn't change the permissions, so run Chmod
// Must chmod after chown because chown resets the file mode.
return os.Chmod(path, mode)
}

func setFilePermissions(path string, mode os.FileMode, uid, gid int) error {
if err := os.Chown(path, uid, gid); err != nil {
func conditionalChown(path string, uid, gid int64) error {
if uid != DoNotChangeUID && gid != DoNotChangeGID {
if uid > math.MaxUint32 || gid > math.MaxUint32 {
// due to https://github.com/golang/go/issues/8537
return errors.New(fmt.Sprintf("Numeric User-ID or Group-ID greater than %v are not properly supported.", uint64(math.MaxUint32)))
}
if err := os.Chown(path, int(uid), int(gid)); err != nil {
return err
}
}
return nil
}


func setFilePermissions(path string, mode os.FileMode, uid, gid int64) error {
if err := conditionalChown(path, uid, gid); err != nil {
return err
}
// manually set permissions on file, since the default umask (022) will interfere
Expand Down Expand Up @@ -961,7 +978,7 @@ func CopyOwnership(src string, destDir string, root string) error {
return errors.Wrap(err, "reading ownership")
}
stat := info.Sys().(*syscall.Stat_t)
return os.Chown(destPath, int(stat.Uid), int(stat.Gid))
return conditionalChown(destPath, int64(stat.Uid), int64(stat.Gid))
})
}

Expand Down