VOLUME in Dockerfile created with wrong permissions + timestamp

[ensc]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

A VOLUME within Dockerfile is created with wrong permissions. E.g.

FROM fedora:33

RUN ls -lad /var/tmp

VOLUME /var/tmp

RUN ls -lad /var/tmp

and then docker run ... ls -lad /var/tmp shows three different modes:

drwxrwxrwt. 2 root root 4096 Feb 17 07:48 /var/tmp       <<< from original image
drwxrwxrwx. 2 root root 4096 Apr  1 15:30 /var/tmp       <<< in `podman build` after VOLUME
drwxr-xr-x. 2 root root 4096 Apr  1 15:31 /var/tmp       <<< in generated image

Doing the same with moby-engine-19.03.13 shows

drwxrwxrwt. 2 root root 4096 Feb 17 07:48 /var/tmp
drwxrwxrwt. 2 root root 4096 Feb 17 07:48 /var/tmp
drwxrwxrwt. 2 root root 4096 Feb 17 07:48 /var/tmp

I expect the moby-engine behavior:

• /vat/tmp keeps 01777 perms
• timestamps do not change

Steps to reproduce the issue:

1. run 'podman build' with Dockerfile above

2. start the generated image and look at /var/tmp

Output of podman version:

Version:      3.0.1
API Version:  3.0.0
Go Version:   go1.15.8
Built:        Fri Feb 19 17:56:17 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.19.4
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.26-1.fc33.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.26, commit: 777074ecdb5e883b9bec233f3630c5e7fa37d521'
  cpus: 8
  distribution:
    distribution: fedora
    version: "33"
  eventLogger: journald
  hostname: ensc-virt.intern.sigma-chemnitz.de
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 505
      size: 1
    - container_id: 1
      host_id: 505000000
      size: 1000000
    uidmap:
    - container_id: 0
      host_id: 505
      size: 1
    - container_id: 1
      host_id: 505000000
      size: 1000000
  kernel: 5.11.7-200.fc33.x86_64
  linkmode: dynamic
  memFree: 2529865728
  memTotal: 32658120704
  ociRuntime:
    name: crun
    package: crun-0.18-1.fc33.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.18
      commit: 808420efe3dc2b44d6db9f1a3fac8361dde42a95
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/505/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.9-1.fc33.x86_64
    version: |-
      slirp4netns version 1.1.9
      commit: 4e37ea557562e0d7a64dc636eff156f64927335e
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 2586046464
  swapTotal: 4294963200
  uptime: 155h 28m 39.4s (Approximately 6.46 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/ensc/.config/containers/storage.conf
  containerStore:
    number: 7
    paused: 0
    running: 5
    stopped: 2
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.4.0-1.fc33.x86_64
      Version: |-
        fusermount3 version: 3.9.3
        fuse-overlayfs: version 1.4
        FUSE library version 3.9.3
        using FUSE kernel interface version 7.31
  graphRoot: /.local/home/ensc/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 176
  runRoot: /run/user/505
  volumePath: /.local/home/ensc/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 1613753777
  BuiltTime: Fri Feb 19 17:56:17 2021
  GitCommit: ""
  GoVersion: go1.15.8
  OsArch: linux/amd64
  Version: 3.0.1

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.0.1-1.fc33.x86_64
buildah-1.19.8-1.fc33.x86_64

moby-engine-19.03.13-1.ce.git4484c46.fc33.x86_64     (for reference)

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@mheon this looks like the builtin volume is not grabbing the dest directories permissions and setting them.

[rhatdan]

$ podman run alpine ls -ld /var/tmp
drwxrwxrwt    2 root     root          4096 Apr 14 10:25 /var/tmp
$ podman run -v test:/var/tmp alpine ls -ld /var/tmp
drwxr-xr-x    2 root     root          4096 May  2 11:08 /var/tmp

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[ensc]

Has this really been fixed completely?

A slightly modified dockerfile

FROM fedora:34

VOLUME /foo

RUN mkdir -p /foo && chown nobody:nobody /foo && ls -ld /foo
RUN ls -ld /foo

still loses permissions and ownership attributes

$ podman build .
STEP 1: FROM fedora:34
STEP 2: VOLUME /foo
--> Using cache 254841daa711ccca4e1dd133145e7905d942ae842f3108887da30d4ceea2b5c8
--> 254841daa71
STEP 3: RUN mkdir -p /foo && chown nobody:nobody /foo && ls -ld /foo
drwxr-xr-x. 2 nobody nobody 4096 Jul 27 10:35 /foo
--> 6d94b2065c6
STEP 4: RUN ls -ld /foo
drwxr-xr-x. 2 root root 4096 Jul 27 10:35 /foo
STEP 5: COMMIT
--> cc965ee29a6
cc965ee29a6745ebcfd48018586fff73e7e7141335fc543fc36c02bf67706557

(owner is root:root instead of nobody:nobody in second RUN).

podman-3.2.3-1.fc34.x86_64

[rhatdan]

This works.

FROM fedora:34

RUN mkdir -p /foo && chown nobody:nobody /foo && ls -ld /foo
VOLUME /foo
RUN ls -ld /foo

I tried your original Dockerfile, and Docker works the same as podman.

Basically the VOLUME is created on the mount point at the time of creation. If the destination directory does not exist, the ownership of the directory, defaults to the current user in the container.

If the directory previously exists then the VOLUME will assume the ownership and timestamp of the existing directory.