WORKDIR changes the an existing folder's ownership to root:root

[kkujala]

Description

I checked the bug reports I found one issue about folder ownership and WORKDIR: containers/buildah#2323. That issue is about USER and WORKDIR, and in this case the folder is pre-created and chowned.

The podman and buildah work differently with WORKDIR than docker. The folder ownership (user:group) changes from my user (12345:12345) to root user (0:0) in case of buildah/podman. For docker the folder ownership does not change.

Steps to reproduce the issue:

1. Build the following Dockerfile either with buildah or podman, the result is the same. Also the option "--format docker" does not have an effect on the result.

FROM docker.io/centos:centos8

RUN : \
    && echo 'mygroup:x:12345:' >> /etc/group \
    && echo 'myuser:x:12345:12345:myuser:/home/myuser:/usr/sbin/nologin' \
        >> /etc/passwd \
    && mkdir --mode=0700 /home/myuser \
    && chown 12345:12345 /home/myuser \
    && :

USER 12345:12345
WORKDIR /home/myuser

The following build command can be used:

buildah bud --tag myuser_buildah .

2. Also build the same dockerfile with docker

docker build --tag myuser_docker .

Describe the results you received:

Results for buildah/podman:

$ podman run --rm -ti myuser_buildah ls -la /home
total 12
drwxr-xr-x  3 root root 4096 Feb 15 16:41 .
dr-xr-xr-x 17 root root 4096 Feb 15 16:41 ..
drwx------  2 root root 4096 Feb 15 16:41 myuser

Results for docker:

$ docker run --rm -ti myuser_docker ls -la /home
total 12
drwxr-xr-x 1 root   root    4096 Feb 15 15:52 .
drwxr-xr-x 1 root   root    4096 Feb 15 16:28 ..
drwx------ 2 myuser mygroup 4096 Feb 15 15:52 myuser

Describe the results you expected:
According to https://docs.docker.com/engine/reference/builder/#workdir

If the WORKDIR doesn’t exist, it will be created even if it’s not used in any subsequent Dockerfile instruction.

So in this case the folder the exists so it should not be re-created or modified.

For buildah/podman:
Expect that the /home/myuser be owned by myuser:mygroup, but because the root:root owns the /home/myuser, then the user myuser cannot access its own home folder.

For docker:
Observe that the /home/myuser has the correct ownership myuser:mygroup. Also myuser can access its own home folder.

Output of rpm -q buildah or apt list buildah:

$ pacman -Qv buildah
Root      : /
Conf File : /etc/pacman.conf
DB Path   : /var/lib/pacman/
Cache Dirs: /var/cache/pacman/pkg/  
Hook Dirs : /usr/share/libalpm/hooks/  /etc/pacman.d/hooks/  
Lock File : /var/lib/pacman/db.lck
Log File  : /var/log/pacman.log
GPG Dir   : /etc/pacman.d/gnupg/
Targets   : buildah
buildah 1.19.4-1

Output of buildah version:

$ buildah version
Version:         1.19.4
Go Version:      go1.15.8
Image Spec:      1.0.1-dev
Runtime Spec:    1.0.2-dev
CNI Spec:        0.4.0
libcni Version:  v0.8.1
image Version:   5.10.1
Git Commit:      175c3e87
Built:           Wed Feb 10 21:18:05 2021
OS/Arch:         linux/amd64

Output of podman version if reporting a podman build issue:

$ pacman -Qv podman
Root      : /
Conf File : /etc/pacman.conf
DB Path   : /var/lib/pacman/
Cache Dirs: /var/cache/pacman/pkg/  
Hook Dirs : /usr/share/libalpm/hooks/  /etc/pacman.d/hooks/  
Lock File : /var/lib/pacman/db.lck
Log File  : /var/log/pacman.log
GPG Dir   : /etc/pacman.d/gnupg/
Targets   : podman
podman 3.0.0-1

$ podman version
Version:      3.0.0
API Version:  3.0.0
Go Version:   go1.15.8
Git Commit:   5b2585f5e91ca148f068cefa647c23f8b1ade622
Built:        Fri Feb 12 00:22:46 2021
OS/Arch:      linux/amd64

Output of cat /etc/*release:

$ cat /etc/*release
NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://www.archlinux.org/"
DOCUMENTATION_URL="https://wiki.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://bugs.archlinux.org/"
LOGO=archlinux

Output of uname -a:

$ uname -a
Linux redacted 5.10.16-arch1-1 containers/buildah#1 SMP PREEMPT Sat, 13 Feb 2021 20:50:18 +0000 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:

$ cat /etc/containers/storage.conf | sed -n '/^[^#]/p'
[storage]
driver = "fuse-overlayfs"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
[storage.options]
additionalimagestores = [
]
[storage.options.overlay]
mountopt = "nodev"
[storage.options.thinpool]

[rhatdan]

This is a known bug in buildah.
If you add a
RUN echo done
After the Workdir in your Dockerfile, does the image work?

[kkujala]

Unfortunately even with that it does not work correctly. I still see that the ownership for /home/myuser is changed to root:root.

$ podman run --rm -ti myuser_buildah ls -la /home
total 12
drwxr-xr-x  3 root root 4096 Feb 15 20:26 .
dr-xr-xr-x 17 root root 4096 Feb 15 20:26 ..
drwx------  2 root root 4096 Feb 15 20:26 myuser 

$ cat Dockerfile
FROM docker.io/centos:centos8

RUN : \
    && echo 'mygroup:x:12345:' >> /etc/group \
    && echo 'myuser:x:12345:12345:myuser:/home/myuser:/usr/sbin/nologin' \
        >> /etc/passwd \
    && mkdir --mode=0700 /home/myuser \
    && chown 12345:12345 /home/myuser \
    && :

USER 12345:12345
WORKDIR /home/myuser
RUN echo done

[rhatdan]

The image is fine, but there is a new bug in podman causing this.

[rhatdan]

@vrothberg looks like your podman workdir change is forcing WORKDIR to be set to root:root.

[kkujala]

Out of curiosity, how can the image content be checked on that detail?

[rhatdan]

podman image mount IMAGEID and then you can look around the image.

[kkujala]

Cool, thanks!