jib-maven-plugin - How to set folder permission

Question

I'm trying to build docker image using jib-maven-plugin, I want to set permission for specific folder. If I am using docker file, the configuration will look below :

FROM xxxxxxxx.com/sandbox/gui-server:1.0.0-SNAPSHOT
USER root
RUN chmod 755 /home/www
USER www

Now how do I implement this using jib-maven-plugin? I believe somewhere in pom.xml in jib-maven-plugin

<container>
   <mainClass>${mainClass}</mainClass>
      ...
        ...
      <user>www</user>
</container>

Answer 1

The first question you need to think about is why you have to change the permissions of a base image directory (/home/www in your case) to 755. It might be the case that the base image is specifically designed to be run as root and /home/www should only readable by root for some reason I don't know. Or, if it doesn't make sense that the directory is not readable by a non-root user, it may be a bug that should be fixed in the base image.

If you still want to change the permissions of an arbitrary directory of a base image, I can think of an abuse of the <extraDirectories> feature as demonstrated here. However, I am a bit reluctant to suggest this hack as a good workaround. In many cases (although not yours), the root of the issue may not be about permissions but about file/directory ownership or about fixing an app to not mutate files in the base image. If the files/directories were not from a base image but about files/directories put by Jib, maybe the Jib Ownership Extension (Maven / Gradle) might resolve some seemingly-permission-related issues.

Also check out this Stack Overflow question.

---

For those who wonder the possibility of a RUN-like support in Jib (i.e., actually executing a command inside a container using some container runtime), I'll quote these comments:

the way Jib builds an image is fundamentally different from how the Docker CLI builds an image using Dockerfile (reproducible vs. non-reproducible, declarative vs. imperative, Docker and Dockerfile-less build vs. requiring Docker daemon and client, requiring root-privilege vs. not). Jib is in a very different realm, so unfortunately, it is very difficult to support ONBUILD unless we radically change our opinionated philosophy in how an image should be built. Basically, we don't "run" Dockerfile directives, particularly the ones like RUN that executes something. Jib doesn't provide/include a Docker runtime (that is one of the points of Jib).

And as for running arbitrary commands, unfortunately this is largely incompatible with the mode Jib operates in, because the way Jib builds an image is fundamentally different from how Docker does: https://github.com/GoogleContainerTools/jib/issues/1806#issuecomment-505526975 We build images in a declarative and reproducible way without actually requiring to have a runtime component to be able to run an image at image build-time; running an image basically destroys reproducibility. So unfortunately it is very difficult for Jib to support "running" arbitrary commands at image building-time.