RUN --mount=type=secret with uid seems broken in current v1 image (v1.41.3) #6361
Description
Issue Description
Several of our builds that attempts to mount a build-secret have started failing after quay.io/buildah/stable:v1 was updated from v1.40.1 to v1.41.3.
The issue seems to be that specifying the uid as an argument to the --mount parameter no longer results in the expected permissions for the secret.
Steps to reproduce the issue
With this Containerfile:
FROM docker.io/library/alpine:latest
RUN --mount=type=secret,id=test_secret \
/bin/sh -c '\
ls -lh /run/secrets/test_secret \
&& [ -e /run/secrets/test_secret ] \
&& cat /run/secrets/test_secret \
&& [ "$(cat /run/secrets/test_secret)" = "some-expected-secret-value" ]' \
&& echo "Test OK"
USER nobody
RUN --mount=type=secret,uid=65534,id=test_secret_user \
/bin/sh -c '\
ls -lh /run/secrets/test_secret_user \
&& [ -e /run/secrets/test_secret_user ] \
&& cat /run/secrets/test_secret_user \
&& [ "$(cat /run/secrets/test_secret_user)" = "some-other-secret-value" ]' \
&& echo "Test OK"... do this:
export SECRET1=some-expected-secret-value
export SECRET2=some-other-secret-value
buildah build --secret id=test_secret,src=env,env=SECRET1 --secret id=test_secret_user,src=env,env=SECRET2 .Describe the results you received
STEP 3/4: USER nobody
--> Pushing cache []
--> 58e995db39e6
STEP 4/4: RUN --mount=type=secret,uid=65534,id=test_secret_user /bin/sh -c ' ls -lh /run/secrets/test_secret_user && [ -e /run/secrets/test_secret_user ] && cat /run/secrets/test_secret_user && [ "$(cat /run/secrets/test_secret_user)" = "some-other-secret-value" ]' && echo "Test OK"
ls: /run/secrets/test_secret_user: Permission denied
subprocess exited with status 1
subprocess exited with status 1
Error: building at STEP "RUN --mount=type=secret,uid=65534,id=test_secret_user /bin/sh -c ' ls -lh /run/secrets/test_secret_user && [ -e /run/secrets/test_secret_user ] && cat /run/secrets/test_secret_user && [ "$(cat /run/secrets/test_secret_user)" = "some-other-secret-value" ]' && echo "Test OK"": exit status 1
Describe the results you expected
--> Pushing cache []
--> c794fe725496
STEP 4/4: RUN --mount=type=secret,uid=65534,id=test_secret_user /bin/sh -c ' ls -lh /run/secrets/test_secret_user && [ -e /run/secrets/test_secret_user ] && cat /run/secrets/test_secret_user && [ "$(cat /run/secrets/test_secret_user)" = "some-other-secret-value" ]' && echo "Test OK"
-r-------- 1 nobody root 23 Sep 1 12:40 /run/secrets/test_secret_user
some-other-secret-valueTest OK
buildah version output
We're following the latest quay.io/buildah/stable:v1 image, which we update nightly. This image was recently updated from v1.40.1 to v1.41.3.buildah info output
We're running the official image on kubernetes, with slight customizations:
FROM quay.io/buildah/stable:v1
RUN sed -i \
's/^.\+secrets\/\(etc-pki-entitlement\|rhsm\).\+$/#&/' \
/etc/containers/mounts.conf \
&& sed -i \
-e 's/^mount_program/#mount_program/g' \
-e 's/^mountopt/#mountopt/g' \
/etc/containers/storage.conf \
&& dnf remove -y fuse-overlayfs
COPY registries.conf.d/* /etc/containers/registries.conf.d/Provide your storage.conf
Official buildah image with customizations as above.Upstream Latest Release
Yes
Additional environment details
No response
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting