Fix #9 - add support for --chown flag to COPY #250
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here (e.g. What to do if you already signed the CLAIndividual signers
Corporate signers
|
|
Hey @pmcq , looks like you need to sign the CLA and fix some linting errors for travis to pass. |
|
Hi, sorry, I'm currently working with my company internally to get the corporate CLA signed but I think it could be a couple of days for this to get set up so I might have to put this on hold until that goes through. I can close this for now and re-open when that's finished or whatever you would prefer. Thanks. |
|
No rush, feel free to keep it open if that's easier. |
|
CLAs look good, thanks! |
…hared between USER and COPY commands. Update COPY commands to chown files/directories/symlinks appropriately
|
Hi I believe the CLAs are all set and I fixed up some merge conflicts on my end |
|
All of our integration tests are failing with an invalid userid error:
|
|
You can find instructions for running integration tests locally here! |
|
I don't have a GCP account but can start the process of setting that stuff up for integration tests then. I have run the normal unit tests, and built some images locally. |
|
@pmcq thanks! let me know if you run into any issues |
|
I've fixed up the code a little so that the images are now being built correctly but I can't get the integration tests to pass locally. At the end of the build I keep getting a |
|
Is this ready to merge? |
|
I just performed another merge from master to fix some merge conflicts, all tests are still passing. |
|
Any news about this feature? |
|
Very useful feature |
|
Hey @pmcq ! We'd like to give this another review, looks like there's a conflict that needs to be updated? Let us know when we should take a look again! (or if you want us to resolve the conflicts and get the PR merged, that's fine too!) |
|
Wait for this feature! |
|
I'm taking a look at addressing the merge conflict and will try to re-push before I go on vacation this week. |
pkg/util/command_util.go
Outdated
| return "", "", err | ||
| } | ||
|
|
||
| uidStr, gidStr, err := GetUserFromUsername(userStr, groupStr) |
There was a problem hiding this comment.
nit: you can return GetUserFromUsername(userStr, groupStr) here
pkg/util/fs_util.go
Outdated
| // It returns a list of files it copied over | ||
| func CopyDir(src, dest string) ([]string, error) { | ||
| func CopyDir(src string, dest string, chownUID int, chownGid int) ([]string, error) { |
There was a problem hiding this comment.
nit: this can be simplified to (src, dest string, uid, gid int)
pkg/util/fs_util.go
Outdated
| return nil, err | ||
| } | ||
| } else if fi.Mode()&os.ModeSymlink != 0 { | ||
| // If file is a symlink, we want to create the same relative symlink | ||
| if err := CopySymlink(fullPath, destPath); err != nil { | ||
| if err := CopySymlink(fullPath, destPath, chownUID, chownGid); err != nil { |
There was a problem hiding this comment.
should these be uid and gid instead of chownUID and chownGid? I think with that change determineChownUIDGid won't need to be called again in CopySymlink
There was a problem hiding this comment.
My thought here was since CopySymlink is exported it could be called in other places that didn't have the resolved uid/gid (or to allow callers to those functions to specify "keep uid the same", e.g. https://github.com/GoogleContainerTools/kaniko/pull/250/files#diff-a29f0f6c0a35589007a1c4e592f5c189R166) and that it would be less error-prone for callers if determineChownUIDGid was called within CopySymlink/CopyFile. I agree that expectation could be changed and I can change this if you'd like.
There was a problem hiding this comment.
Hi @priyawadhwa - what do you think?
There was a problem hiding this comment.
That makes sense -- we can keep the determineChownUIDGid in both places, but let's still pass in uid and gid in this function since it's a bit cleaner
There was a problem hiding this comment.
okay I can do that but it would have to be int(uid) and int(gid) (since those values are uint32s but the other functions expect signed ints which determineChownUIDGid returns) - I wasn't sure if the type casting to signed was frowned upon or not.
pkg/util/fs_util.go
Outdated
| return nil, err | ||
| } | ||
| } else { | ||
| // ... Else, we want to copy over a file | ||
| if err := CopyFile(fullPath, destPath); err != nil { | ||
| if err := CopyFile(fullPath, destPath, chownUID, chownGid); err != nil { |
There was a problem hiding this comment.
same as above, should these be uid and gid?
There was a problem hiding this comment.
This is looking really good! Could you just add to our copy integration test Dockerfile so that we can test this change?
pkg/util/fs_util.go
Outdated
| return nil, err | ||
| } | ||
| } else if fi.Mode()&os.ModeSymlink != 0 { | ||
| // If file is a symlink, we want to create the same relative symlink | ||
| if err := CopySymlink(fullPath, destPath); err != nil { | ||
| if err := CopySymlink(fullPath, destPath, chownUID, chownGid); err != nil { |
There was a problem hiding this comment.
That makes sense -- we can keep the determineChownUIDGid in both places, but let's still pass in uid and gid in this function since it's a bit cleaner
| // If the given uid/gid are negative, returns the uid/gid from the | ||
| // file info. | ||
| // Otherwise returns the given uid/gid | ||
| func determineChownUIDGid(fileInfo os.FileInfo, chownUID, chownGid int) (uint32, uint32) { |
There was a problem hiding this comment.
nit: let's call this determineChownUidGid
There was a problem hiding this comment.
the linter actually raised errors when using uid or Uid here - https://travis-ci.org/GoogleContainerTools/kaniko/builds/457513881 I forgot to also look at renaming Gid to GID (which I guess it didn't check against)
| // for the corresponding user as a string, replacing any build arguments | ||
| // and environment variables. Group is not required to be specified, and | ||
| // if left off, gid will be empty | ||
| func GetUIDGidFromUserString(commandUserStr string, replacementEnvs []string) (string, string, error) { |
There was a problem hiding this comment.
nit: getUidGidFromUserString
|
I actually don't think I will have any time soon to get this PR ready for approval - I wasn't able to get integration tests running (always get some auth issues with gcr) and will be busy with work/holidays. If someone else can pick this up that would be nice but I'll probably stick with my fork until then. |
…s for chowning purposes, otherwise /etc/passwd isn't found, or wouldn't have the users/groups from the base image
|
@pmcq do you think I can pick up where you left ? Or would you consider continuing to work on this ? |
|
Correct I will not be working on this any longer. There are also some problems I ran into with kaniko not unpacking base layers and since it uses |
|
@Rowern is there any new PR where I can watch progress for this fix? It's really important for my team :). |
|
How's it going? |
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
|
Since @pmcq hasnt signed CLA from patrick@algorithmia.io I am going to close this pr and create another one. |
#9
To test, I've built an image locally and used it to run dockerfiles with COPY --chown flag succesfully. All existing unit tests pass, however I don't see any existing tests on util.CopyDir/CopyFile or CopySymlink that need modification.
Since the user running the testcases isn't going to be a root user, it wouldn't be allowed to chown a file to someone else, so any testcases I wrote around the chown logic was failing for permission denied reasons.