[BUG] crashes while parsing when using docker compose secrets and `USER` in Dockerfile

[KhalidAlansary]

Description

Crash output:
strconv.Atoi: parsing "postgres": invalid syntax

The bug was introduced in v2.40.1 It didn't occur in v2.40.0

I think this was introduced in #13288 by @ndeloof .

The bug occurs when using docker compose secrets with a Dockerfile that contains the USER instruction.

Steps To Reproduce

1. Create a file named Dockerfile with the following contents (you can leave the comment as it is):

FROM docker.io/postgres:18
USER root
# RUN apt install some stuff
USER postgres

2. Create a compose.yaml file with the following contents:

services:
  db:
    build:
      context: .
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
    secrets:
      - postgres_password

secrets:
  postgres_password:
    environment: POSTGRES_PASSWORD

3. Create a .env file with the following contents:

POSTGRES_PASSWORD=secret

4. Run docker compose up

You should see the error strconv.Atoi: parsing "postgres": invalid syntax

Compose Version

Docker Compose version 2.40.1

Docker Environment

Client:
 Version:    28.5.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  0.29.1
    Path:     /usr/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  2.40.1
    Path:     /usr/lib/docker/cli-plugins/docker-compose

Server:
 Containers: 2
  Running: 0
  Paused: 0
  Stopped: 2
 Images: 14
 Server Version: 28.5.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: true
  Native Overlay Diff: false
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 75cb2b7193e4e490e9fbdc236c0e811ccaba3376.m
 runc version: 
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.17.3-arch2-1
 Operating System: Arch Linux
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 15.39GiB
 Name: Archie
 ID: 4f8ab52e-4360-4ccd-a597-046a27df2299
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

Anything else?

No response

[ndeloof]

diagnostic : containerInspect returns Config.User = root, not actual UID:GID 🥲
I'll check if we have an alternative, otherwise will have to revert #13288

[thaJeztah]

Yes this is probably similar to what I had to fix in copy - it's a tricky one though, because the lookup has to happen within the container filesystem, and depending on how users are defined, even within the container's namespace (nss lookups)

• Fix parsing of user/group during copy operation moby/moby#34143