carvel-dev/imgpkg

imgpkg removes group permissions when storing files in OCI image, which causes permission problems with the Jammy stack

navdeep-pama opened this issue · 1 comments

navdeep-pama commented

What happened:
Jammy-base builders require read permissions is set for group. It uses different users for build and run, so group read permissions are required to access files.

  • Using imgpkg to copy a jammy-base image
  • Imgpkg removes group permissions when storing files in OCI image, permissions are set based on unmask
  • node/python/gradle workload deployments with "--local-path" will fail. These projects require read access to file system resources.

What did you expect:
The permissions should be retained so that Jammy-base images and their workloads can run.

Anything else you would like to add:
imgpkg should implement a new flag called --preserve-permissions that will disable the current behavior for imgpkg that would remove all the permissions. This will ensure we don't cause a breaking change for existing user workflows.

joaopapereira commented

Going to change from bug to feature, since this is the way imgpkg is supposed to behave. We decided to go with this behavior to add an extra layer of security to ensure that the user that creates files is the only one that can update them.

In the examples above there is some situation where we might want to forfeit this feature and allow for the full permissions to be kept. In order to enable these scenarios we might, as suggested, create a new flag for imgpkg push to keep the permissions.

The main side effect here that we must have into account is the fact that when imgpkg pulls the image it will have to know that the permission bits should be kept. In order for this to be done we can try to see if there is a way to make the code understand if the permissions are present or not and if imgpkg should copy the user bits or not.
Some investigation needs to go into this.

In case this makes the code much more complicated we can decide to go with the creation of something in the image, like a file on .imgpkg/ folder or some annotation on the image itself to inform imgpkg about the expected behavior on pull.