[Docker] Make all files added via the files attribute executable and read-only

Also adds a `mode` attribute to docker_build so you can specify the mode you prefer. RELNOTES: [docker] docker_build now set the permission to 0555 to files added to the layer, use `mode = "0644"` to use the legacy behavior. -- MOS_MIGRATED_REVID=103743458
author: Damien Martin-Guillerez <dmarting@google.com> 2015-09-23 14:26:22 +0000
committer: Philipp Wollermann <philwo@google.com> 2015-09-24 14:16:08 +0000
commit: f396134227c6bb1f9b078038cacda0b153382ea9 (patch)
tree: 2b8887eb1170d40522d31b834f4b8639529e97f1 /tools
parent: f9ab555fb8d869894ff80d02eeeb5666e5055046 (diff)
4 files changed, 42 insertions, 7 deletions
diff --git a/tools/build_defs/docker/README.md b/tools/build_defs/docker/README.md
index f8d147135b..3d93ec45ce 100644
--- a/tools/build_defs/docker/README.md
+++ b/tools/build_defs/docker/README.md
@@ -180,8 +180,8 @@ docker_build(
 <a name="docker_build"></a>
 ### `docker_build`
 
-`docker_build(name, base, data_path, directory, files, tars, debs,
-symlinks, entrypoint, cmd, env, ports, volumes)`
+`docker_build(name, base, data_path, directory, files, mode, tars,
+debs, symlinks, entrypoint, cmd, env, ports, volumes)`
 
 <table>
   <thead>
@@ -247,6 +247,15 @@ symlinks, entrypoint, cmd, env, ports, volumes)`
       </td>
     </tr>
     <tr>
+      <td><code>mode</code></td>
+      <td>
+        <code>String, default to 0555</code>
+        <p>
+          Set the mode of files added by the <code>files</code> attribute.
+        </p>
+      </td>
+    </tr>
+    <tr>
       <td><code>tars</code></td>
       <td>
         <code>List of files, optional</code>
diff --git a/tools/build_defs/docker/build_layer.py b/tools/build_defs/docker/build_layer.py
index 3f78ab03af..ca2d80cd0d 100644
--- a/tools/build_defs/docker/build_layer.py
+++ b/tools/build_defs/docker/build_layer.py
@@ -31,6 +31,10 @@ gflags.DEFINE_multistring(
     'file', [],
     'A file to add to the layer')
 
+gflags.DEFINE_string(
+    'mode', None,
+    'Force the mode on the added files (in octal).')
+
 gflags.DEFINE_multistring(
     'tar', [],
     'A tar file to add to the layer')
@@ -71,13 +75,14 @@ class DockerLayer(object):
   def __exit__(self, t, v, traceback):
     self.tarfile.close()
 
-  def add_file(self, f, destfile):
+  def add_file(self, f, destfile, mode=None):
     """Add a file to the layer.
 
     Args:
        f: the file to add to the layer
        destfile: the name of the file in the layer
-
+       mode: force to set the specified mode, by
+          default the value from the source is taken.
     `f` will be copied to `self.directory/destfile` in the layer.
     """
     dest = destfile.lstrip('/')  # Remove leading slashes
@@ -85,7 +90,10 @@ class DockerLayer(object):
     # options, not just files...
     if self.directory and self.directory != '/':
       dest = self.directory.lstrip('/') + '/' + dest
-    self.tarfile.add_file(dest, file_content=f)
+    # If mode is unspecified, derive the mode from the file's mode.
+    if mode is None:
+      mode = 0755 if os.access(f, os.X_OK) else 0644
+    self.tarfile.add_file(dest, file_content=f, mode=mode)
 
   def add_tar(self, tar):
     """Add a tar file to the layer.
@@ -138,10 +146,14 @@ class DockerLayer(object):
 
 
 def main(unused_argv):
+  force_mode = None
+  if FLAGS.mode:
+    # Convert from octal
+    force_mode = int(FLAGS.mode, 8)
   with DockerLayer(FLAGS.output, FLAGS.directory) as layer:
     for f in FLAGS.file:
       (inf, tof) = f.split('=', 1)
-      layer.add_file(inf, tof)
+      layer.add_file(inf, tof, force_mode)
     for tar in FLAGS.tar:
       layer.add_tar(tar)
     for deb in FLAGS.deb:
diff --git a/tools/build_defs/docker/docker.bzl b/tools/build_defs/docker/docker.bzl
index e5badabe99..6e630dd89a 100644
--- a/tools/build_defs/docker/docker.bzl
+++ b/tools/build_defs/docker/docker.bzl
@@ -91,7 +91,8 @@ def _build_layer(ctx):
   build_layer = ctx.executable._build_layer
   args = [
       "--output=" + layer.path,
-      "--directory=" + ctx.attr.directory
+      "--directory=" + ctx.attr.directory,
+      "--mode=" + ctx.attr.mode,
       ]
   args += ["--file=%s=%s" % (f.path, _dest_path(f, data_path))
            for f in ctx.files.files]
@@ -240,6 +241,7 @@ docker_build_ = rule(
         "tars": attr.label_list(allow_files=tar_filetype),
         "debs": attr.label_list(allow_files=deb_filetype),
         "files": attr.label_list(allow_files=True),
+        "mode": attr.string(default="0555"),
         "symlinks": attr.string_dict(),
         "entrypoint": attr.string_list(),
         "cmd": attr.string_list(),
diff --git a/tools/build_defs/docker/testdata/BUILD b/tools/build_defs/docker/testdata/BUILD
index cce876cfb6..8b1bcd194a 100644
--- a/tools/build_defs/docker/testdata/BUILD
+++ b/tools/build_defs/docker/testdata/BUILD
@@ -27,28 +27,33 @@ genrule(
 docker_build(
     name = "no_data_path_image",
     files = ["//tools/build_defs/docker/testdata/test:test-data"],
+    mode = "0644",
 )
 
 docker_build(
     name = "data_path_image",
     data_path = ".",
     files = ["//tools/build_defs/docker/testdata/test:test-data"],
+    mode = "0644",
 )
 
 docker_build(
     name = "gen_image",
     files = [":gen"],
+    mode = "0644",
 )
 
 docker_build(
     name = "files_base",
     files = ["foo"],
+    mode = "0644",
 )
 
 docker_build(
     name = "files_with_files_base",
     base = ":files_base",
     files = ["bar"],
+    mode = "0644",
 )
 
 docker_build(
@@ -66,6 +71,7 @@ docker_build(
     name = "files_with_tar_base",
     base = ":tar_base",
     files = ["bar"],
+    mode = "0644",
 )
 
 docker_build(
@@ -79,6 +85,7 @@ docker_build(
     name = "base_with_entrypoint",
     entrypoint = ["/bar"],
     files = ["bar"],
+    mode = "0644",
     ports = ["8080"],
     tars = ["two.tar"],
 )
@@ -89,6 +96,7 @@ docker_build(
     base = ":base_with_entrypoint",
     cmd = ["shadowed-arg"],
     files = ["foo"],
+    mode = "0644",
 )
 
 docker_build(
@@ -108,6 +116,7 @@ docker_build(
         "bar",
         "foo",
     ],
+    mode = "0644",
     volumes = ["/logs"],
 )
 
@@ -190,6 +199,7 @@ docker_build(
     name = "notop_files_with_files_base",
     base = ":notop_files_base",
     files = ["bar"],
+    mode = "0644",
 )
 
 docker_build(
@@ -202,6 +212,7 @@ docker_build(
     name = "notop_files_with_tar_base",
     base = ":notop_tar_base",
     files = ["bar"],
+    mode = "0644",
 )
 
 docker_build(
@@ -215,6 +226,7 @@ docker_build(
     base = ":notop_base_with_entrypoint",
     cmd = ["shadowed-arg"],
     files = ["foo"],
+    mode = "0644",
 )
 
 docker_build(
author	Damien Martin-Guillerez <dmarting@google.com>	2015-09-23 14:26:22 +0000
committer	Philipp Wollermann <philwo@google.com>	2015-09-24 14:16:08 +0000
commit	f396134227c6bb1f9b078038cacda0b153382ea9 (patch)
tree	2b8887eb1170d40522d31b834f4b8639529e97f1 /tools
parent	f9ab555fb8d869894ff80d02eeeb5666e5055046 (diff)