chmod COPY doesn't work with symbolic representation in Dockerfile frontend v1.10.0

[jtruskow]

Environment details:

docker buildx inspect
Name:          buildkit-latest
Driver:        docker-container
Last Activity: 2024-09-11 17:25:12 +0000 UTC

Nodes:
Name:      buildkit-latest0
Endpoint:  unix:///var/run/docker.sock
Status:    running
Buildkit:  v0.15.2
Platforms: linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
Labels:
 org.mobyproject.buildkit.worker.executor:         oci
 org.mobyproject.buildkit.worker.hostname:         a0ed78c56c52
 org.mobyproject.buildkit.worker.network:          host
 org.mobyproject.buildkit.worker.oci.process-mode: sandbox
 org.mobyproject.buildkit.worker.selinux.enabled:  false
 org.mobyproject.buildkit.worker.snapshotter:      overlayfs
GC Policy rule#0:
 All:           false
 Filters:       type==source.local,type==exec.cachemount,type==source.git.checkout
 Keep Duration: 48h0m0s
 Keep Bytes:    488.3MiB
GC Policy rule#1:
 All:           false
 Keep Duration: 1440h0m0s
 Keep Bytes:    23.28GiB
GC Policy rule#2:
 All:        false
 Keep Bytes: 23.28GiB
GC Policy rule#3:
 All:        true
 Keep Bytes: 23.28GiB

In v1.9.0 and earlier, using the symbolic mode of the chmod command during COPY instructions worked. In the latest release, the increased validation of the COPY/ADD commands only permits octal representation.

Is it a conscious decision to only support octal representation?

Sample output using latest frontend:

docker buildx build .
[+] Building 3.1s (7/7) FINISHED                                                                                          docker-container:buildkit-latest
 => [internal] load build definition from Dockerfile                                                                                                  0.1s
 => => transferring dockerfile: 9.58kB                                                                                                                0.0s
 => resolve image config for docker-image://docker.io/docker/dockerfile:1                                                                             0.4s
 => CACHED docker-image://docker.io/docker/dockerfile:1@sha256:865e5dd094beca432e8c0a1d5e1c465db5f998dca4e439981029b3b81fb39ed5                       0.1s
 => => resolve docker.io/docker/dockerfile:1@sha256:865e5dd094beca432e8c0a1d5e1c465db5f998dca4e439981029b3b81fb39ed5                                  0.1s
 => [internal] load metadata for <baseimage>
 => [internal] load metadata for docker.io/library/ubuntu:latest                                                                                      1.9s
 => [auth] <registry login>
 => [internal] load .dockerignore                                                                                                                     0.1s
 => => transferring context: 485B                                                                                                                     0.0s
WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
Dockerfile:142
--------------------
 140 |     
 141 |     ###---INSTALL PYTHON PACKAGES AND CHANGE OWNERSHIP---###
 142 | >>> COPY --chown=myuser:root --chmod=g+w packaging/build_environment/requirements.txt /opt/xxx/xxxxxxx/
--------------------
ERROR: failed to solve: invalid chmod parameter: 'g+w'. it should be octal string and between 0 and 07777

[thaJeztah]

Looking at the linked PR, I think the change was that previously the invalid value was silently ignored, so while it may have "accepted" r+w, it didn't actually do anything.

[jtruskow]

Looking at the linked PR, I think the change was that previously the invalid value was silently ignored, so while it may have "accepted" r+w, it didn't actually do anything.

Looks like you're right. I'll confirm it previously had no effect in my build and close this issue if so.

I found this issue about adding support for symbolic representation: #1951 but it doesn't seem to be getting much attention. Is there any plan to add support for it?