[Bug 2029523] Re: docker export is missing ownership information

Dave Jones 2029523 at bugs.launchpad.net
Mon Aug 7 11:49:20 UTC 2023 

This looks good to go (and thank you for a well done SRU template -- I
do like it when the test plan simply includes the commands necessary!);
sponsoring

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2029523

Title:
  docker export is missing ownership information

Status in docker.io-app package in Ubuntu:
  New
Status in docker.io-app source package in Focal:
  New
Status in docker.io-app source package in Jammy:
  New

Bug description:
  [ Impact ]
  Tar archive created by docker export command is missing ownership information (all files are owned by root). If this archive is then used to recreate filesystem for unprivileged processes (like via docker import or just unpacking it and chrooting), they can fail with permission denied error or in some other way.

  This bug happens when package is built with Go older than 1.19: this
  version of Go introduced build tag unix that is used by upstream to
  determine if it should add UNIX-specific attributes into archive.
  Older Go versions silently ignore this source code, and the result is
  missing UIDs and GIDs in tar archives. As Go 1.20 was backported to
  affected releases, patches attached use this version to fix the bug.

  [ Test Plan ]
  Run next commands (under user with docker group or under root):

      docker run --name lp_2029523 ubuntu:20.04 ls -l /etc/shadow
      docker export lp_2029523 | tar tv etc/shadow

  First command will show that file is owned by root:shadow, while
  second will show that it is owned by UID/GID 0/0. Here you can
  downgrade or apply the fix to see that second command starts to show
  UID/GID 0/42 that is correct.

  [ Where problems could occur ]
  Upstream builds this Docker version with Go 1.19. While Go is usually pretty good at maintaining backward compatibility, there were some subtle changes in Go 1.20, like handling of TLS handshake failure and some other error handling. So there could be changes in behavior when error arrises.

  [ Other Info ]
  Bug introduced in 20.10.25-0ubuntu1~20.04.1, previous version 20.10.21-0ubuntu1~20.04.2 works as intended. Jammy is also affected. Newer releases are not affected as they already use Go 1.20.

  The issue is caused by this change
  https://github.com/moby/moby/commit/721358e0cb7c10b41508f3c114baeceb2ac9ba0a#diff-12919f88ca9c04e478a6ffdf37e9a67ccdd2997afdc2e51adb1e67c53dcdbd8cL5-R5
  and by packaging using Go 1.18. It can be fixed by appending this tag
  to DOCKER_BUILDTAGS, but building package with newer Go version is
  even better.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: docker.io 20.10.25-0ubuntu1~20.04.1
  ProcVersionSignature: Ubuntu 5.15.0-72.79~20.04.1-generic 5.15.98
  Uname: Linux 5.15.0-72-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.27
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Thu Aug  3 20:27:42 2023
  InstallationDate: Installed on 2023-05-19 (76 days ago)
  InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316)
  SourcePackage: docker.io-app
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2029523/+subscriptions

More information about the Ubuntu-sponsors mailing list