Actual behavior
Layer tar files contain a header for the path /, which looks like an absolute path name and creates problems for the internal non-Docker container runtime we use. Images created using Docker work just fine.
Expected behavior
Tar files should not contain absolute paths. GNU tar drops the leading / from absolute paths, so this mostly works, but other tools fail to extract images created by Kaniko.
To Reproduce
Use this Dockerfile:
FROM debian:buster
RUN apt-get update && \
apt-get install -y --no-install-recommends vim && \
rm -rf /var/lib/apt/lists/*Build with kaniko, saving the image locally so that we can inspect it.
docker run -v $PWD:/workspace gcr.io/kaniko-project/executor@sha256:d60705cb55460f32cee586570d7b14a0e8a5f23030a0532230aaf707ad05cecd \
--dockerfile /workspace/Dockerfile --context dir:///workspace/ --tarPath /workspace/image.tar \
--no-push --destination=image
Extract and inspect the image. Observe the first entry: /.
$ tar xf image.tar
$ tar --list --verbose --file d201a7839a4aa3a639e61c9782ac73e714b1b2acd3919a6774c29536cdd395c7.tar.gz | head
drwxr-xr-x 0 0 0 0 Aug 7 13:52 /
drwxr-xr-x 0 0 0 0 Aug 7 13:52 etc/
drwxr-xr-x 0 0 0 0 Aug 7 13:52 etc/alternatives/
lrwxrwxrwx 0 0 0 0 Aug 7 13:52 etc/alternatives/editor -> /usr/bin/vim.basic
lrwxrwxrwx 0 0 0 0 Aug 7 13:52 etc/alternatives/editor.1.gz -> /usr/share/man/man1/vim.1.gz
lrwxrwxrwx 0 0 0 0 Aug 7 13:52 etc/alternatives/editor.da.1.gz -> /usr/share/man/da/man1/vim.1.gz
lrwxrwxrwx 0 0 0 0 Aug 7 13:52 etc/alternatives/editor.de.1.gz -> /usr/share/man/de/man1/vim.1.gz
lrwxrwxrwx 0 0 0 0 Aug 7 13:52 etc/alternatives/editor.fr.1.gz -> /usr/share/man/fr/man1/vim.1.gz
lrwxrwxrwx 0 0 0 0 Aug 7 13:52 etc/alternatives/editor.it.1.gz -> /usr/share/man/it/man1/vim.1.gz
lrwxrwxrwx 0 0 0 0 Aug 7 13:52 etc/alternatives/editor.ja.1.gz -> /usr/share/man/ja/man1/vim.1.gz
Triage Notes for the Maintainers
| Description |
Yes/No |
| Please check if this a new feature you are proposing |
|
| Please check if the build works in docker but not in kaniko |
|
Please check if this error is seen when you use --cache flag |
|
| Please check if your dockerfile is a multistage dockerfile |
|
Actual behavior
Layer tar files contain a header for the path
/, which looks like an absolute path name and creates problems for the internal non-Docker container runtime we use. Images created using Docker work just fine.Expected behavior
Tar files should not contain absolute paths. GNU tar drops the leading
/from absolute paths, so this mostly works, but other tools fail to extract images created by Kaniko.To Reproduce
Use this Dockerfile:
Build with kaniko, saving the image locally so that we can inspect it.
docker run -v $PWD:/workspace gcr.io/kaniko-project/executor@sha256:d60705cb55460f32cee586570d7b14a0e8a5f23030a0532230aaf707ad05cecd \ --dockerfile /workspace/Dockerfile --context dir:///workspace/ --tarPath /workspace/image.tar \ --no-push --destination=imageExtract and inspect the image. Observe the first entry:
/.Triage Notes for the Maintainers
--cacheflag