Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Since 2.7.18) bootBuildImage: /workspace directory is owned by the wrong user id... #38535

Closed
jerchende opened this issue Nov 24, 2023 · 3 comments
Closed

(Since 2.7.18) bootBuildImage: /workspace directory is owned by the wrong user id... #38535

jerchende opened this issue Nov 24, 2023 · 3 comments

Comments

@jerchende
Copy link

For my Spring Boot Service I build a bootBuildImage with gradle.

With Spring Boot 2.7.18 the /workspace-directory inside the image is owned by User 1001, which is a not existing user id.

‣ docker run -ti --entrypoint /bin/bash <2.7.18 image>
cnb@94f7bdde2982:/workspace$ id
uid=1002(cnb) gid=1000(cnb) groups=1000(cnb)
cnb@94f7bdde2982:/workspace$ ls -la
total 20
drwxr-xr-x 1 1001 cnb  4096 Jan  1  1980 .
drwxr-xr-x 1 root root 4096 Nov 24 10:20 ..
drwxr-xr-x 1 1001 cnb  4096 Jan  1  1980 BOOT-INF
drwxr-xr-x 2 1001 cnb  4096 Jan  1  1980 META-INF
drwxr-xr-x 3 1001 cnb  4096 Jan  1  1980 org

In 2.7.17 the /workspace directory was owned by cnb with user id 1000:

‣ docker run -ti --entrypoint /bin/bash <2.7.17 image>
cnb@c5f7657cab0d:/workspace$ id
uid=1000(cnb) gid=1000(cnb) groups=1000(cnb)
cnb@c5f7657cab0d:/workspace$ ls -la
total 20
drwxr-xr-x 1 cnb  cnb  4096 Jan  1  1980 .
drwxr-xr-x 1 root root 4096 Nov 24 10:21 ..
drwxr-xr-x 1 cnb  cnb  4096 Jan  1  1980 BOOT-INF
drwxr-xr-x 2 cnb  cnb  4096 Jan  1  1980 META-INF
drwxr-xr-x 3 cnb  cnb  4096 Jan  1  1980 org

This causes issues with some file operations, for example logging, because the service is no longer allowed to create files in the /workspace directory.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 24, 2023
@wilkinsona
Copy link
Member

I believe this is due to #38477. You could explicitly configure the use of the older builder. Before doing so, you should be aware that the Paketo team consider it to be unsafe. This is why we took the unusual step of changing the default in a maintenance release.

I think it's also worth noting that the buildpacks team do not recommend creating files in /workspace (and may have tightened things up in part to enforce this recommendation). I think a better long-term solution would be to stick with the new Jammy-based builder and adapt your application so that it does not write to /workspace.

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Nov 24, 2023
@wilkinsona wilkinsona removed the status: waiting-for-triage An issue we've not yet triaged label Nov 24, 2023
@ahachmann
Copy link

ahachmann commented May 7, 2024
edited
Loading

Actually we are currently also facing the problem with the UID, but not in /workspace but with EFS PersistendVolumeClaims in Amazon EKS (Kubernetes). Our EFS files always had the same user id 1000 as the old cnb where running processes. Now that seems to have changed to uid=1002 and access rights are now restricting our services to access those files. Is there a way to configure the UID the process will run with on those images, or what would your suggestion be to solve such issues?

Old Spring-Boot Version: 2.7.9
New Spring-Boot Version: 3.2.5

@wilkinsona
Copy link
Member

That's a question for the buildpacks community. AFAIK, it's out of Spring Boot's control.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wilkinsona @jerchende @spring-projects-issues @ahachmann