Problemas con WORKDIR en Dockerfile

2021/07/08

Como recordatorio.

Escribiendo un multistage Dockerfile para crear una container image obtenida usando podman:

...
# The user UID is arbitrary, non common used by regular users.
RUN useradd -u 7685 -r -g users -m -s /sbin/nologin -c "Builder user" builder
# Set the working directory to the `app` directory inside builder home directory
WORKDIR /home/builder/app
# Specify the user which should be used to execute all commands below
USER builder

# -- Warm maven cache --
# Copy pom file and mvnw
COPY --chown=builder:users ./pom.xml ./mvnw .
COPY --chown=builder:users ./.mvn ./.mvn
# FIXME: Not all plugins and dependencies are downloaded.
# FIXME: See bug <https://issues.apache.org/jira/browse/MDEP-82>
RUN ./mvnw -B dependency:resolve-plugins dependency:go-offline

# -- Build war --
# Copy project and build
COPY --chown=builder:users ./ ./
RUN ./mvnw -B package
...

funciona sin problemas con un usuario normal utilizando:

$ podman build -t myapp:latest .

Por motivos de infraestructura -dígase, una imposición externa-, es necesario que la imagen anterior se genere utilizando buildah, más exactamente el comando buildah bud. Pero ejecutando este con un usuario normal se obtiene:

$ buildah bud -t myapp:latest .
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  19.264 s
[INFO] Finished at: 2021-07-08T19:12:33Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-resources-plugin:2.6:resources (default-resources) on project myapp: Cannot create resource output directory: /home/builder/app/target/classes -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
error building at STEP "RUN ./mvnw -B package": error while running runtime: exit status 1
level=error msg="exit status 1"

Despues de un buen rato de depurar, se encuentra que el problema está en que WORKDIR, al crear el directorio /home/builder/app, lo hace con dueño y grupo root y con permisos rwxr-xr-x.

Obviamente, alcanza con cambiar el dueño del directorio /home/builder/app que es creado por WORKDIR, utilizando luego de su uso:

RUN chown builder:users /home/builder/app && chmod 755 /home/builder/app

En el comando anterior se utiliza también chmod para explicitar los permisos del directorio.

Con lo anterior dicha sección del Dockerfile queda en la forma:

...
# The user UID is arbitrary, non common used by regular users.
RUN useradd -u 7685 -r -g users -m -s /sbin/nologin -c "Builder user" builder
# Set the working directory to the `app` directory inside builder home directory
# and set the correct permissions for user builder
WORKDIR /home/builder/app
RUN chown builder:users /home/builder/app && chmod 755 /home/builder/app
# Specify the user which should be used to execute all commands below
USER builder

# -- Warm maven cache --
# Copy pom file and mvnw
COPY --chown=builder:users ./pom.xml ./mvnw .
COPY --chown=builder:users ./.mvn ./.mvn
# FIXME: Not all plugins and dependencies are downloaded.
# FIXME: See bug <https://issues.apache.org/jira/browse/MDEP-82>
RUN ./mvnw -B dependency:resolve-plugins dependency:go-offline

# -- Build war --
# Copy project and build
COPY --chown=builder:users ./ ./
RUN ./mvnw -B package
...

Luego de haber detectado el problema es más sencillo de encontrar los bugs relacionados al problema que lo describen: