[feature request/propsal] add option --keep-ownership for ADD and COPY commands

[Dexus]

Description

I would love to keep the ownership on ADD and COPY commands, that are copy my files from local and also from images.

Steps to reproduce the issue:

1. create Dockerfile with ADD and/or COPY from you local storage (owned by 1123:1123)
2. build it
3. check the Ownership

Describe the results you received:

files are owned by root:root

Describe the results you expected:

I would expect to have a option ADD --keep-ownership /file /file or COPY --keep-ownership /file /file that keeps the ownership of my files, like 1123:1123 if my user has the UID and GID or the files if I run it as root.

** Additonal references: **
containers/buildah#3767
containers/buildah#4001
openshift/imagebuilder#227

[thaJeztah]

Let me move this to the BuildKit repository, which is where the Dockerfile syntax is maintained

[tonistiigi]

We already normalize all files on the client-side before they ever become part of the build. Client and deamon are usually on different machines with completely different sets of users and we don't want to give the impression that we expect some features to only work in specific limited conditions. This even has a potential security impact as client would not expect information about the local users(eg. my macos users) to be shared with the sandboxed build.

For ways to control this behavior you can prepare files in another Dockerfile stage before copying. These copies keep ownership. Additionally if you transfer your files via tarball the users info should be kept as well(you get the users that were added to the tarball when tarball was created).

[Dexus]

Thanks @thaJeztah to push it to the right place.

Thanks @tonistiigi for the feedback and concerns. In general I don't see the problem that there must be security concerns, it's not like we want to deposit it as a default behavior. What bothers me is if I have to set up directories and files one by one in my example build 90, so that the permissions are set correctly.

That would make a lot of things much easier. And I am of the opinion that it will certainly also many other users like me and they are also very happy about this switch if it were available.

Unfortunately, a tar archive is no real help, because it makes the workflow no longer reproducible, we had this idea and had to discard it.

[thaJeztah]

Unfortunately, a tar archive is no real help, because it makes the workflow no longer reproducible

One of the reasons the ownership is reset, is for reproducibility. For example, it my local UID is 501, but on someone elses machine it's 502, then the same build-context would result in a different image. Other scenarios, such as a Windows CLI (where on Windows, UID/GID are not available) used to build a Linux image. The COPY --chown option (added in moby/moby#34263), was implemented so that the Dockerfile could describe the expected ownership, but I understand that this may be less trivial if different paths within the build context that's added to the image require different ownership/permissions.