Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kaniko loses sticky bit on /tmp after COPY, causing apt-get update failures #3393

Open
ripiomatiascalvo opened this issue Jan 24, 2025 · 1 comment
Open

Kaniko loses sticky bit on /tmp after COPY, causing apt-get update failures #3393

ripiomatiascalvo opened this issue Jan 24, 2025 · 1 comment

Comments

@ripiomatiascalvo
Copy link

Actual behavior When building an image with Kaniko that copies files into /tmp, the permissions on /tmp get changed from drwxrwxrwt (1777) to drwxrwxr-x (0775) (the sticky bit is lost). As a result, running apt-get update fails with:

Couldn't create temporary file /tmp/apt.conf.xxxxx for passing config to apt-key
...
The repository ... is not signed.

In contrast, the same Dockerfile works as expected with docker build, and /tmp retains the sticky bit.

Expected behavior Kaniko should preserve the sticky bit on /tmp so that apt-get commands (and other processes that rely on /tmp being 1777) do not fail. The build should succeed similarly to how it does with Docker.

To Reproduce

  1. Create a minimal Dockerfile (example below) that copies a folder into /tmp and then runs apt-get update.
  2. Build the image with Kaniko using a command like:
docker run --rm -it \
  -v "$PWD":/workspace \
  -w /workspace \
  gcr.io/kaniko-project/executor:latest \
  --dockerfile Dockerfile \
  --context dir:///workspace \
  --destination localhost:5000/test:latest
  1. Observe that apt-get update fails with an error about creating temporary files in /tmp.

Additional Information

  • Dockerfile (simplified example reproducing the issue):
FROM public.ecr.aws/lts/ubuntu:20.04_stable

# Copy files into /tmp
COPY lib/. /tmp/

# Now apt-get update will fail due to lost sticky bit on /tmp
RUN apt-get update && apt-get install -y curl

  • Build Context
    The lib directory contains arbitrary files (empty files/folders is enough to reproduce). The presence of that copy to /tmp is what changes the directory’s permissions.

  • Kaniko Image (fully qualified with digest)
    gcr.io/kaniko-project/executor:latest
    (Also tested with other Kaniko versions. Same result.)

Triage Notes for the Maintainers

Description Yes/No
Please check if this is a new feature you are proposing - [ ]
Please check if the build works in docker but not in kaniko - [x]
Please check if this error is seen when you use --cache flag - [ ]
Please check if your dockerfile is a multistage dockerfile - [ ]
The same Dockerfile works fine with docker build.
With Kaniko, /tmp is changed to drwxrwxr-x (0775), losing the sticky bit, which breaks apt-get.
This issue persists even if you do RUN chmod 1777 /tmp in a prior layer, because the subsequent COPY seems to overwrite permissions.
@ripiomatiascalvo
Copy link
Author

[INFO] [Fri Jan 24 13:52:54 UTC 2025]: W: GPG error: http://archive.ubuntu.com/ubuntu focal-updates InRelease: Couldn't create temporary file /tmp/apt.conf.3EWMzP for passing config to apt-key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ripiomatiascalvo