kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard

Published 20 hours ago verified publisher icon GoogleContainerTools

kaniko fails with a symbolic link pointing to itself

Open lxylxy123456 opened this issue 4 years ago • 11 comments

Actual behavior When the docker image contains a symbolic to itself (e.g. ln -s e e, where e is the file name located in /jkl/), kaniko fails by printing error message "ERRO[0012] couldn't eval /jkl/e with link /jkl/e", and the image pushed to the registry is incomplete.

Expected behavior This error should not happen, and all files should be there.

To Reproduce Steps to reproduce the behavior:

  1. Follow the tutorial, but change the Dockerfile to the one below.
  2. kubectl logs kaniko shows (note the last line is an error):
INFO[0001] Retrieving image manifest ubuntu             
INFO[0001] Retrieving image ubuntu                      
INFO[0002] Retrieving image manifest ubuntu             
INFO[0002] Retrieving image ubuntu                      
INFO[0003] Built cross stage deps: map[]                
INFO[0003] Retrieving image manifest ubuntu             
INFO[0003] Retrieving image ubuntu                      
INFO[0004] Retrieving image manifest ubuntu             
INFO[0004] Retrieving image ubuntu                      
INFO[0005] Executing 0 build triggers                   
INFO[0005] Unpacking rootfs as cmd RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l requires it. 
INFO[0010] RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l 
INFO[0010] Taking snapshot of full filesystem...        
INFO[0011] cmd: /bin/sh                                 
INFO[0011] args: [-c mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l] 
INFO[0011] Running: [/bin/sh -c mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l] 
total 4
-rw-r--r-- 1 root root 2 Aug 24 23:38 a
lrwxrwxrwx 1 root root 1 Aug 24 23:38 b -> a
lrwxrwxrwx 1 root root 1 Aug 24 23:38 c -> d
lrwxrwxrwx 1 root root 1 Aug 24 23:38 e -> e
INFO[0011] Taking snapshot of full filesystem...        
ERRO[0012] couldn't eval /jkl/e with link /jkl/e
  1. If I pull the container from docker hub, I see (note that c -> d is gone):
root@e059594cfdff:/# ls
bin   dev  home  lib    lib64   media  opt   root  sbin  sys  usr
boot  etc  jkl   lib32  libx32  mnt    proc  run   srv   tmp  var
root@e059594cfdff:/# ls jkl
a  b  e
root@e059594cfdff:/# ls jkl -l
total 4
-rw-r--r-- 1 root root 2 Aug 24 23:38 a
lrwxrwxrwx 1 root root 1 Aug 24 23:38 b -> a
lrwxrwxrwx 1 root root 1 Aug 24 23:38 e -> e
root@e059594cfdff:/#

Expected (this is the result of building the image with docker)

$ docker run --rm -it my-container sh
# ls
bin   dev  home  lib	lib64	media  opt   root  sbin  sys  usr
boot  etc  jkl	 lib32	libx32	mnt    proc  run   srv	 tmp  var
# ls jkl
a  b  c  e
# ls -l jkl
total 4
-rw-r--r--. 1 root root 2 Aug 25 01:46 a
lrwxrwxrwx. 1 root root 1 Aug 25 01:46 b -> a
lrwxrwxrwx. 1 root root 1 Aug 25 01:46 c -> d
lrwxrwxrwx. 1 root root 1 Aug 25 01:46 e -> e
# 
$

Additional Information

  • Dockerfile 
    FROM ubuntu
RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l
  • Build Context None
  • Kaniko Image (fully qualified with digest) 
    gcr.io/kaniko-project/executor:latest
Digest: sha256:e36c9fa99279217c4bb8ee172819b441c3ca8ef946dc0e28b21721eefb2ba70a

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
  • - [ ]
Please check if the build works in docker but not in kaniko
  • - [x]
Please check if this error is seen when you use --cache flag
  • - [x]
Please check if your dockerfile is a multistage dockerfile
  • - [ ]

lxylxy123456 avatar Aug 24 '20 23:08 lxylxy123456

Note that the container pushed to Docker Hub is not deterministic. Sometimes it is missing other files. For example, during another run I get this container (this time a and b -> a are missing)

root@2c3f4ff954c6:/# ls jkl
c  e
root@2c3f4ff954c6:/# ls jkl -l
total 0
lrwxrwxrwx. 1 root root 1 Aug 25 01:41 c -> d
lrwxrwxrwx. 1 root root 1 Aug 25 01:41 e -> e
root@2c3f4ff954c6:/# exit

lxylxy123456 avatar Aug 25 '20 01:08 lxylxy123456

Might be related #1406

RoSk0 avatar Aug 31 '20 05:08 RoSk0

Maybe we have had the same problem here: image

Our problem & solution was: We run the kaniko executor binary in an different image than the google default docker image. Our image is based on SLES. The Image we wanted to build with kaniko was based on RHEL. Since we changed the RHEL based Dockerimage also to SLES, the full filesystem snapshot is running successful.

We are using: kaniko 1.0.0 tekton 0.14.2 sles 15sp1:1.20.37 rhel Red Hat Enterprise Linux Server release 7.7 (Maipo)

snukone avatar Sep 17 '20 13:09 snukone

Not only circular links, but also (some?) broken links cause this behaviour.

If there's a symlink /a -> /b/c/d and the directory /b/c doesn't exist, an error is printed couldn't eval /a with link /a and not only the symlink gets left out, but also random other files get left out of the container.

jbg avatar Oct 20 '21 10:10 jbg

I think latest kaniko doesn't have this problem?

mandric avatar Jan 05 '23 12:01 mandric

I think latest kaniko doesn't have this problem?

I tested with 1.9.1 and this issue still exists.

jia2 avatar Feb 23 '23 05:02 jia2

Reproduced with gcr.io/kaniko-project/executor:v1.9.2-debug

m00lecule avatar Apr 17 '23 15:04 m00lecule

An updated reproduction with https://github.com/GoogleContainerTools/kaniko/releases/tag/v1.16.0:

$ cat Dockerfile
FROM alpine

RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l

$ docker rmi -f rep
(...)

$ docker run \
-v `pwd`:/workspace \
gcr.io/kaniko-project/executor:v1.16.0 \
--dockerfile /workspace/Dockerfile \
--destination rep \
--no-push --tarPath /workspace/rep.tar

(...)
INFO[0002] RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l
INFO[0002] Initializing snapshotter ...
INFO[0002] Taking snapshot of full filesystem...
INFO[0002] Cmd: /bin/sh
INFO[0002] Args: [-c mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l]
INFO[0002] Running: [/bin/sh -c mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l]
total 4
-rw-r--r--    1 root     root             2 Sep 27 13:24 a
lrwxrwxrwx    1 root     root             1 Sep 27 13:24 b -> a
lrwxrwxrwx    1 root     root             1 Sep 27 13:24 c -> d
lrwxrwxrwx    1 root     root             1 Sep 27 13:24 e -> e
INFO[0002] Taking snapshot of full filesystem...
ERRO[0002] Couldn't eval /jkl/e with link /jkl/e
INFO[0003] Skipping push to container registry due to --no-push flag
(...)

$ docker image load -i rep.tar
(...)

$ rm -rf rep.tar

$ docker run --rm --name rep rep ls -l jkl
total 4
-rw-r--r--    1 root     root             2 Sep 27 13:24 a
lrwxrwxrwx    1 root     root             1 Sep 27 13:24 b -> a
lrwxrwxrwx    1 root     root             1 Sep 27 13:24 e -> e

while with Docker:

$ docker rmi -f rep
(...)

$ docker build -t rep .
(...)
Step 2/2 : RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l
 ---> Running in 637034289a83
total 4
-rw-r--r--    1 root     root             2 Sep 27 13:30 a
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 b -> a
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 c -> d
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 e -> e
(...)

$ docker run --rm --name rep rep ls -l jkl
total 4
-rw-r--r--    1 root     root             2 Sep 27 13:30 a
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 b -> a
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 c -> d
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 e -> e

moret avatar Sep 27 '23 13:09 moret

any update on this?

algo7 avatar Jan 31 '24 16:01 algo7

any update on this?

zhangguanzhang avatar Apr 17 '24 10:04 zhangguanzhang

this?

jack80342 avatar Jul 04 '24 13:07 jack80342