Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

setfacl in Dockerfile has no effect

Tags:

linux

docker

dockerfile

ubuntu

acl

I want to set the default acl for some folders when building a docker image using setfacl but it has no effect. The default acl is unchanged. My aim is that every file that is created in /opt must have rwX permissions for any user, as the image will be run with an arbitrary uid later and needs full access to /opt.

Here's a quick example Dockerfile

FROM ubuntu:bionic
SHELL ["/bin/bash", "-c"]
RUN apt-get update > /dev/null && apt-get install -y --no-install-recommends acl > /dev/null
RUN chmod -R a+rwXs /opt
RUN setfacl -d -m o::rwx /opt
RUN getfacl /opt

and the output is

# file: opt
# owner: root
# group: root
# flags: ss-
user::rwx
group::rwx
other::rwx

which is wrong, the default acl is missing. But if I run the commands in the container manually it works

docker run -ti --rm ubuntu:bionic bash
root@636bf8fdba41:/# apt-get update > /dev/null && apt-get install -y --no-install-recommends acl > /dev/null
debconf: delaying package configuration, since apt-utils is not installed
root@636bf8fdba41:/# chmod -R a+rwXs /opt
root@636bf8fdba41:/# setfacl -d -m o::rwx /opt
root@636bf8fdba41:/# getfacl /opt
getfacl: Removing leading '/' from absolute path names
# file: opt
# owner: root
# group: root
# flags: ss-
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx

Any idea why docker does not correctly apply the acl changes when running setfacl in the Dockerfile?

Docker version 19.03.5, build 633a0ea838 Ubuntu 18.04 as host

like image 542
GenError Avatar asked Nov 26 '19 02:11

GenError

1 Answers

Any idea why docker does not correctly apply the acl changes when running setfacl in the Dockerfile?

Don't take this as an authoritative answer, because I'm just guessing.

Docker images have to run on a variety of distributions, with different storage backends (possibly even more when you facter in image registries, like hub.docker.com). Even those that are filesystem based may be backed by different filesystems with different capabilities.

This means that in order for Docker images to run reliably and reproducibly in all situations, they have to minimize the number of extended filesystem features they preserve.

This is probably why the extended attributes necessary to implement filesystem ACLs are not preserved as part of the image.

It works in a container because at this point the files are stored on a specific local filesystem, so you can take advantage of any features supported by that filesystem.

like image 162
larsks Avatar answered Nov 08 '22 20:11

larsks
Sign in to Comment

Related questions

Unable to start solr with Java 9
How to multicast with ipv6 udp socket in C/C++ on linux?
When during the socket lifetime should I set the TCP_QUICKACK option?
Python requests hangs when script launched through crontab
Can you start a process inside a Docker container as root, while having the default user of an exec call be non-root?
Invalid MIT-MAGIC-COOKIE-1 key
How to open <del>named pipe</del>character device special file for reading and writing in Python
Get IP address from python [duplicate]
Starting Intellij IDEA from icon on linux: No JDK found
Transform table into 2 columns
how to find which process bind a socket but not listen?
xdotool commands bound to key shortcuts doesnot work
How to page-up / page-down through vim terminal
How to replace operator new/delete and not interfere with libraries?
IntelliJ IDEA does not see my environment variables
Why the operating system says it can't allocate memory to jvm when it has enough memory
Link keyrings in initramfs using syscall()
Calling WCF service with NTLM auth from .NET Core on linux
When does SIGIO fire?
Problem in restoring floating toolbar for QMainWindow

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!