[legacy builder] Copying non-root owned files between stages fails with userns #34645
Description
Description
When running docker with user namespace remapping (dockerd --userns-remap=default), copying files between stages in a multi-stage Dockerfile fails if the file isn't owned by root.
Steps to reproduce the issue:
systemctl edit dockerand restart docker afterwards:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --userns-remap=default
- Create multi-stage Dockerfile:
FROM debian:stretch as build
RUN touch x && chown 1:1 x
FROM debian:stretch
RUN touch y && chown 1:1 y
COPY --from=build x ./
- Try to build it
Describe the results you received:
$ docker build .
Step 1/5 : FROM debian:stretch as build
---> a20fd0d59cf1
Step 2/5 : RUN touch x && chown 1:1 x
---> Running in c7dc32f085a2
---> d7df817bb29e
Removing intermediate container c7dc32f085a2
Step 3/5 : FROM debian:stretch
---> a20fd0d59cf1
Step 4/5 : RUN touch y && chown 1:1 y
---> Running in f9331a0fdee4
---> f24956139d4f
Removing intermediate container f9331a0fdee4
Step 5/5 : COPY --from=build x ./
Container ID 1148577 cannot be mapped to a host ID
Describe the results you expected:
I expected the file x to be copied, because having non-root owned files (y) works in the resulting stage.
Additional information you deem important (e.g. issue happens only occasionally):
Always reproducable, user mapping config files indicate that up to uids < 65536 should be mappable.
/etc/subuid: dockremap:1148576:65536
/etc/subgid: dockremap:1148576:65536
Output of docker version:
Client:
Version: 17.06.0-ce
API version: 1.30
Go version: go1.8.3
Git commit: 02c1d87
Built: Fri Jun 23 21:17:22 2017
OS/Arch: linux/amd64
Server:
Version: 17.06.0-ce
API version: 1.30 (minimum version 1.12)
Go version: go1.8.3
Git commit: 02c1d87
Built: Fri Jun 23 21:16:12 2017
OS/Arch: linux/amd64
Experimental: false
Output of docker info:
Containers: 34
Running: 0
Paused: 0
Stopped: 34
Images: 269
Server Version: 17.06.0-ce
Storage Driver: btrfs
Build Version: Btrfs v4.7.3
Library Version: 101
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: cfb82a876ecc11b5ca0977d1733adbe58599088a
runc version: 2d41c047c83e09a6d61d464906feb2a2f3c52aa4
init version: 949e6fa
Security Options:
seccomp
Profile: default
userns
Kernel Version: 4.9.0-3-amd64
Operating System: Debian GNU/Linux 9 (stretch)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.63GiB
Name: [...]
ID: [...]
Docker Root Dir: /var/lib/docker/1148576.1148576
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
Additional environment details (AWS, VirtualBox, physical, etc.):
Physical Debian 9 machine with btrfs. Running without user namespaces works fine.