diff --git a/docs/sources/reference/builder.md b/docs/sources/reference/builder.md index c3ba939550..cd7f4eff81 100644 --- a/docs/sources/reference/builder.md +++ b/docs/sources/reference/builder.md @@ -235,7 +235,9 @@ being built (also called the *context* of the build) or a remote file URL. `` is the absolute path to which the source will be copied inside the destination container. -All new files and directories are created with mode 0755, uid and gid 0. +All new files and directories are created with a uid and gid of 0. + +In the case where `` is a remote file URL, the destination will have permissions 600. > **Note**: > If you build using STDIN (`docker build - < somefile`), there is no diff --git a/integration-cli/build_tests/TestAdd/EtcToRoot/Dockerfile b/integration-cli/build_tests/TestAdd/EtcToRoot/Dockerfile new file mode 100644 index 0000000000..58c75b00f3 --- /dev/null +++ b/integration-cli/build_tests/TestAdd/EtcToRoot/Dockerfile @@ -0,0 +1,2 @@ +FROM scratch +ADD . / diff --git a/integration-cli/build_tests/TestAdd/SingleFileToRoot/Dockerfile b/integration-cli/build_tests/TestAdd/SingleFileToRoot/Dockerfile index e96201d858..561dbe9c55 100644 --- a/integration-cli/build_tests/TestAdd/SingleFileToRoot/Dockerfile +++ b/integration-cli/build_tests/TestAdd/SingleFileToRoot/Dockerfile @@ -5,5 +5,5 @@ RUN touch /exists RUN chown dockerio.dockerio /exists ADD test_file / RUN [ $(ls -l /test_file | awk '{print $3":"$4}') = 'root:root' ] -RUN [ $(ls -l /test_file | awk '{print $1}') = '-rwxr-xr-x' ] +RUN [ $(ls -l /test_file | awk '{print $1}') = '-rw-r--r--' ] RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ] diff --git a/integration-cli/build_tests/TestAdd/SingleFileToRoot/test_file b/integration-cli/build_tests/TestAdd/SingleFileToRoot/test_file deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/integration-cli/build_tests/TestAdd/WholeDirToRoot/Dockerfile b/integration-cli/build_tests/TestAdd/WholeDirToRoot/Dockerfile index 2f10979487..03e9ac0b1c 100644 --- a/integration-cli/build_tests/TestAdd/WholeDirToRoot/Dockerfile +++ b/integration-cli/build_tests/TestAdd/WholeDirToRoot/Dockerfile @@ -7,5 +7,5 @@ ADD test_dir /test_dir RUN [ $(ls -l / | grep test_dir | awk '{print $3":"$4}') = 'root:root' ] RUN [ $(ls -l / | grep test_dir | awk '{print $1}') = 'drwxr-xr-x' ] RUN [ $(ls -l /test_dir/test_file | awk '{print $3":"$4}') = 'root:root' ] -RUN [ $(ls -l /test_dir/test_file | awk '{print $1}') = '-rwxr-xr-x' ] +RUN [ $(ls -l /test_dir/test_file | awk '{print $1}') = '-rw-r--r--' ] RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ] diff --git a/integration-cli/build_tests/TestAdd/WholeDirToRoot/test_dir/test_file b/integration-cli/build_tests/TestAdd/WholeDirToRoot/test_dir/test_file deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/integration-cli/docker_cli_build_test.go b/integration-cli/docker_cli_build_test.go index 041b10d8bc..ed61afe7c4 100644 --- a/integration-cli/docker_cli_build_test.go +++ b/integration-cli/docker_cli_build_test.go @@ -57,8 +57,13 @@ func TestBuildSixtySteps(t *testing.T) { } func TestAddSingleFileToRoot(t *testing.T) { - buildDirectory := filepath.Join(workingDirectory, "build_tests", "TestAdd") - buildCmd := exec.Command(dockerBinary, "build", "-t", "testaddimg", "SingleFileToRoot") + buildDirectory := filepath.Join(workingDirectory, "build_tests", "TestAdd", "SingleFileToRoot") + f, err := os.OpenFile(filepath.Join(buildDirectory, "test_file"), os.O_CREATE, 0644) + if err != nil { + t.Fatal(err) + } + f.Close() + buildCmd := exec.Command(dockerBinary, "build", "-t", "testaddimg", ".") buildCmd.Dir = buildDirectory out, exitCode, err := runCommandWithOutput(buildCmd) errorOut(err, t, fmt.Sprintf("build failed to complete: %v %v", out, err)) @@ -137,8 +142,17 @@ func TestAddDirContentToExistDir(t *testing.T) { } func TestAddWholeDirToRoot(t *testing.T) { - buildDirectory := filepath.Join(workingDirectory, "build_tests", "TestAdd") - buildCmd := exec.Command(dockerBinary, "build", "-t", "testaddimg", "WholeDirToRoot") + buildDirectory := filepath.Join(workingDirectory, "build_tests", "TestAdd", "WholeDirToRoot") + test_dir := filepath.Join(buildDirectory, "test_dir") + if err := os.MkdirAll(test_dir, 0755); err != nil { + t.Fatal(err) + } + f, err := os.OpenFile(filepath.Join(test_dir, "test_file"), os.O_CREATE, 0644) + if err != nil { + t.Fatal(err) + } + f.Close() + buildCmd := exec.Command(dockerBinary, "build", "-t", "testaddimg", ".") buildCmd.Dir = buildDirectory out, exitCode, err := runCommandWithOutput(buildCmd) errorOut(err, t, fmt.Sprintf("build failed to complete: %v %v", out, err)) @@ -152,6 +166,21 @@ func TestAddWholeDirToRoot(t *testing.T) { logDone("build - add whole directory to root") } +func TestAddEtcToRoot(t *testing.T) { + buildDirectory := filepath.Join(workingDirectory, "build_tests", "TestAdd") + buildCmd := exec.Command(dockerBinary, "build", "-t", "testaddimg", "EtcToRoot") + buildCmd.Dir = buildDirectory + out, exitCode, err := runCommandWithOutput(buildCmd) + errorOut(err, t, fmt.Sprintf("build failed to complete: %v %v", out, err)) + + if err != nil || exitCode != 0 { + t.Fatal("failed to build the image") + } + + deleteImages("testaddimg") + logDone("build - add etc directory to root") +} + // Issue #5270 - ensure we throw a better error than "unexpected EOF" // when we can't access files in the context. func TestBuildWithInaccessibleFilesInContext(t *testing.T) { @@ -177,7 +206,7 @@ func TestBuildWithInaccessibleFilesInContext(t *testing.T) { // check if we've detected the failure before we started building if !strings.Contains(out, "no permission to read from ") { - t.Fatalf("output should've contained the string: no permission to read from ") + t.Fatalf("output should've contained the string: no permission to read from but contained: %s", out) } if !strings.Contains(out, "Error checking context is accessible") { diff --git a/server/buildfile.go b/server/buildfile.go index b37053ac16..f71f945748 100644 --- a/server/buildfile.go +++ b/server/buildfile.go @@ -438,9 +438,6 @@ func (b *buildFile) addContext(container *daemon.Container, orig, dest string, r if err := os.Lchown(path, uid, gid); err != nil && !os.IsNotExist(err) { return err } - if err := os.Chmod(path, 0755); err != nil && !os.IsNotExist(err) { - return err - } return nil }) }