From 07f5e2da31010d9b10d10d26fccaf83b465f75b9 Mon Sep 17 00:00:00 2001
From: Nicolas De Loof <nicolas.deloof@gmail.com>
Date: Mon, 20 Oct 2025 08:26:03 +0200
Subject: [PATCH] Compose can't create a tar with adequate uid:gid ownership as
 we can't get container UID/GID as int by ContainerInspect revert
 https://github.com/docker/compose/pull/13288

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
---
 pkg/compose/secrets.go                   | 33 +-----------------------
 pkg/e2e/fixtures/env-secret/compose.yaml | 17 ------------
 pkg/e2e/secrets_test.go                  | 23 -----------------
 3 files changed, 1 insertion(+), 72 deletions(-)

diff --git a/pkg/compose/secrets.go b/pkg/compose/secrets.go
index 42ccd4e76b8..72bc4b5c8e8 100644
--- a/pkg/compose/secrets.go
+++ b/pkg/compose/secrets.go
@@ -22,7 +22,6 @@ import (
 	"context"
 	"fmt"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/compose-spec/compose-go/v2/types"
@@ -46,7 +45,6 @@ func (s *composeService) injectConfigs(ctx context.Context, project *types.Proje
 
 func (s *composeService) injectFileReferences(ctx context.Context, project *types.Project, service types.ServiceConfig, id string, mountType mountType) error {
 	mounts, sources := s.getFilesAndMap(project, service, mountType)
-	var ctrConfig *container.Config
 
 	for _, mount := range mounts {
 		content, err := s.resolveFileContent(project, sources[mount.Source], mountType)
@@ -63,11 +61,6 @@ func (s *composeService) injectFileReferences(ctx context.Context, project *type
 
 		s.setDefaultTarget(&mount, mountType)
 
-		ctrConfig, err = s.setFileOwnership(ctx, id, &mount, ctrConfig)
-		if err != nil {
-			return err
-		}
-
 		if err := s.copyFileToContainer(ctx, id, content, mount); err != nil {
 			return err
 		}
@@ -129,30 +122,6 @@ func (s *composeService) setDefaultTarget(file *types.FileReferenceConfig, mount
 	}
 }
 
-func (s *composeService) setFileOwnership(ctx context.Context, id string, file *types.FileReferenceConfig, ctrConfig *container.Config) (*container.Config, error) {
-	if file.UID != "" || file.GID != "" {
-		return ctrConfig, nil
-	}
-
-	if ctrConfig == nil {
-		ctr, err := s.apiClient().ContainerInspect(ctx, id)
-		if err != nil {
-			return nil, err
-		}
-		ctrConfig = ctr.Config
-	}
-
-	parts := strings.Split(ctrConfig.User, ":")
-	if len(parts) > 0 {
-		file.UID = parts[0]
-	}
-	if len(parts) > 1 {
-		file.GID = parts[1]
-	}
-
-	return ctrConfig, nil
-}
-
 func (s *composeService) copyFileToContainer(ctx context.Context, id, content string, file types.FileReferenceConfig) error {
 	b, err := createTar(content, file)
 	if err != nil {
@@ -160,7 +129,7 @@ func (s *composeService) copyFileToContainer(ctx context.Context, id, content st
 	}
 
 	return s.apiClient().CopyToContainer(ctx, id, "/", &b, container.CopyToContainerOptions{
-		CopyUIDGID: true,
+		CopyUIDGID: file.UID != "" || file.GID != "",
 	})
 }
 
diff --git a/pkg/e2e/fixtures/env-secret/compose.yaml b/pkg/e2e/fixtures/env-secret/compose.yaml
index ef272419a40..51052d36d21 100644
--- a/pkg/e2e/fixtures/env-secret/compose.yaml
+++ b/pkg/e2e/fixtures/env-secret/compose.yaml
@@ -14,23 +14,6 @@ services:
         mode: 0440
     command: cat /run/secrets/bar
 
-  bar:
-    image: alpine
-    user: "1005"
-    secrets:
-      - source: secret
-        target: bar
-    command: cat /run/secrets/bar
-
-  zot:
-    image: alpine
-    user: "1005:1005"
-    secrets:
-      - source: secret
-        target: bar
-    command: cat /run/secrets/bar
-
-
 secrets:
   secret:
     environment: SECRET
diff --git a/pkg/e2e/secrets_test.go b/pkg/e2e/secrets_test.go
index dde21061b36..3e3895112a3 100644
--- a/pkg/e2e/secrets_test.go
+++ b/pkg/e2e/secrets_test.go
@@ -17,7 +17,6 @@
 package e2e
 
 import (
-	"strings"
 	"testing"
 
 	"gotest.tools/v3/icmd"
@@ -41,28 +40,6 @@ func TestSecretFromEnv(t *testing.T) {
 			})
 		res.Assert(t, icmd.Expected{Out: "-r--r-----    1 1005     1005"})
 	})
-	t.Run("secret uid from user", func(t *testing.T) {
-		res := c.RunDockerCmd(t, "version", "--format", "{{ .Server.Version }}")
-		if strings.HasPrefix(res.Stdout(), "27.") {
-			t.Skip("USER uid:gid is not supported")
-		}
-		res = icmd.RunCmd(c.NewDockerComposeCmd(t, "-f", "./fixtures/env-secret/compose.yaml", "run", "bar", "ls", "-al", "/var/run/secrets/bar"),
-			func(cmd *icmd.Cmd) {
-				cmd.Env = append(cmd.Env, "SECRET=BAR")
-			})
-		res.Assert(t, icmd.Expected{Out: "-r--r--r--    1 1005     root"})
-	})
-	t.Run("secret uid:gid from user", func(t *testing.T) {
-		res := c.RunDockerCmd(t, "version", "--format", "{{ .Server.Version }}")
-		if strings.HasPrefix(res.Stdout(), "27.") {
-			t.Skip("USER uid:gid is not supported")
-		}
-		res = icmd.RunCmd(c.NewDockerComposeCmd(t, "-f", "./fixtures/env-secret/compose.yaml", "run", "zot", "ls", "-al", "/var/run/secrets/bar"),
-			func(cmd *icmd.Cmd) {
-				cmd.Env = append(cmd.Env, "SECRET=BAR")
-			})
-		res.Assert(t, icmd.Expected{Out: "-r--r--r--    1 1005     1005"})
-	})
 }
 
 func TestSecretFromInclude(t *testing.T) {