unpack permissions incorrect

[AdamSimpson]

I have run across an issue in another project that uses image-tools, sylabs/singularity#3880, that looks to be caused by image-tools failing to unpack files with the correct permissions. The issue appears when building from a Dockerfile when a file is created in one layer and then in a subsequent layer the permissions are modified. In this case it looks like the unpacked image has the original file permissions and the updated permissions are ignored.

Dockerfile

FROM ubuntu
RUN mkdir -m 700 /foobar
RUN chmod 755 /foobar

Building the image and verifying the permissions

$ docker build -t permission:test .
$ docker run permission:test ls -ld /foobar
drwxr-xr-x 1 root root 4096 Jul  7 02:43 /foobar

Copy the image with skopeo

$ skopeo copy docker-daemon:permission:test oci:permission:test

Verify permissions are correct with umoci

$ sudo umoci unpack --image permission:test permission_umoci
$ sudo ls -ld permission_umoci/rootfs/foobar
drwxr-xr-x 2 root root 4096 Jul  6 19:43 permission_umoci/rootfs/foobar

Permissions are incorrect with image-tools

$ oci-image-tool unpack --ref name=test permission permission_oit
$ ls -ld permission_oit/foobar
drwx------ 2 asimpson asimpson 4096 Jul  6 19:43 permission_oit/foobar

[cyphar]

I would suggest using https://github.com/openSUSE/umoci instead -- image-tools has historically had many problems with unpacking things correctly and is the main reason I ended up writing umoci. It's used by quite a few other projects as well (within openSUSE we use it to build our container images, it's used by LXC as a method of getting OCI support, and there are tools built on-top of umoci like CISCO's stacker).

[cyphar]

Oh sorry, I didn't notice you already mentioned you tested against umoci. 😉 I could look into porting image-tools to umoci (the underlying libraries should be fairly reusable -- I know a few folks that are reusing it).

[AdamSimpson]

Thanks @cyphar, it looks like the Singularity devs are looking into integrating umoci. From what I could see this should be relatively straight forward.

[cyphar]

This project is no longer actively maintained. However, umoci is a much more full-featured tool for manipulating OCI images, and is now an OCI project as a reference implementation of the OCI image-spec. I would strongly suggest people move to using umoci.