diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-09-08 09:49:22 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-09-08 09:49:22 +0200 |
| commit | 598d914e625616da49df7c068ffd84135d12571e (patch) | |
| tree | 87a465d838ae70e0a36fdefd664b5f5dba2f0327 | |
| parent | 536f23c0b78dd8feafee4e40b743988dbb03bfa2 (diff) | |
| parent | 748c2700b4d839a43be6061ad3bedc3e2f08ab3a (diff) | |
| download | podman-598d914e625616da49df7c068ffd84135d12571e.tar.gz podman-598d914e625616da49df7c068ffd84135d12571e.tar.bz2 podman-598d914e625616da49df7c068ffd84135d12571e.zip | |
Merge pull request #11473 from nalind/build-context-as-root
pkg/bindings/images.nTar(): set ownership of build context to 0:0
| -rw-r--r-- | pkg/bindings/images/build.go | 3 | ||||
| -rw-r--r-- | test/system/070-build.bats | 27 |
2 files changed, 30 insertions, 0 deletions
diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go index 39e0fc5df..3beafa585 100644 --- a/pkg/bindings/images/build.go +++ b/pkg/bindings/images/build.go @@ -501,6 +501,7 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) { if err != nil { return err } + hdr.Uid, hdr.Gid = 0, 0 orig, ok := seen[di] if ok { hdr.Typeflag = tar.TypeLink @@ -532,6 +533,7 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) { return lerr } hdr.Name = name + hdr.Uid, hdr.Gid = 0, 0 if lerr := tw.WriteHeader(hdr); lerr != nil { return lerr } @@ -545,6 +547,7 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) { return lerr } hdr.Name = name + hdr.Uid, hdr.Gid = 0, 0 if lerr := tw.WriteHeader(hdr); lerr != nil { return lerr } diff --git a/test/system/070-build.bats b/test/system/070-build.bats index 0f58b2784..47db08eb1 100644 --- a/test/system/070-build.bats +++ b/test/system/070-build.bats @@ -929,6 +929,33 @@ EOF is "$output" ".*test1" "test1 should exists in the final image" } +@test "podman build build context ownership" { + tmpdir=$PODMAN_TMPDIR/build-test + subdir=$tmpdir/subdir + mkdir -p $subdir + + touch $tmpdir/empty-file.txt + if is_remote && ! is_rootless ; then + # TODO: set this file's owner to a UID:GID that will not be mapped + # in the context where the remote server is running, which generally + # requires us to be root (or running with more mapped IDs) on the + # client, but not root (or running with fewer mapped IDs) on the + # remote server + # 4294967292:4294967292 (0xfffffffc:0xfffffffc) isn't that, but + # it will catch errors where a remote server doesn't apply the right + # default as it copies content into the container + chown 4294967292:4294967292 $tmpdir/empty-file.txt + fi + cat >$tmpdir/Dockerfile <<EOF +FROM $IMAGE +COPY empty-file.txt . +RUN echo 0:0 | tee expected.txt +RUN stat -c "%u:%g" empty-file.txt | tee actual.txt +RUN cmp expected.txt actual.txt +EOF + run_podman build -t build_test $tmpdir +} + function teardown() { # A timeout or other error in 'build' can leave behind stale images # that podman can't even see and which will cascade into subsequent |