buildpacks
pack create builder can create an "invalid" builder/docker image
Summary
I was being lazy and added some order groups to my builder.toml without adding all the direct dependencies. As I wrongly assumed that because the dependencies are already pulled in by other composite buildpacks that would be fine.
This lead to the following problem:
ERROR: failed to write image to the following tags: [index.docker.io/library/builder:latest: loading image "index.docker.io/library/builder:latest". first error: embedded daemon response: duplicates of file paths not supported]
Then I added --publish and while pack create builder succeeded, but I was unable to pull the image from my registry. It failed with the same error. Also tried investigating with dive and enabled logs on my dockerd to no avail:
time="2025-08-18T21:08:27.684526835Z" level=debug msg="Downloaded 9c91a841d99b to tempfile /var/lib/docker/tmp/GetImageBlob3246497519"
time="2025-08-18T21:08:27.685038127Z" level=debug msg="Using /usr/bin/unpigz to decompress"
time="2025-08-18T21:08:27.697453002Z" level=debug msg="Applying tar in /var/lib/docker/overlay2/360c4371ac0ada38d5fee8cabcd1358e507df5e9618a1e85e9186066d63e8e5c/diff" storage-driver=overlay2
2025/08/18 21:08:27 traces export: rpc error: code = Unimplemented desc = unknown service opentelemetry.proto.collector.trace.v1.TraceService
time="2025-08-18T21:08:29.185916086Z" level=debug msg="Cleaning up cache layer after error" cache-id=360c4371ac0ada38d5fee8cabcd1358e507df5e9618a1e85e9186066d63e8e5c error="duplicates of file paths not supported"
time="2025-08-18T21:08:29.207614294Z" level=info msg="Attempting next endpoint for pull after error: failed to register layer: duplicates of file paths not supported" spanID=6869239b1cf7ae13 traceID=cfd240adec6e9fa05be9fe84bfc253eb
time="2025-08-18T21:08:29.211711003Z" level=info msg="Layer sha256:c08461a705c4c402f1f3323647c7cf745d2151cb1d1d1da36f1d39ad58b329b9 cleaned up"
time="2025-08-18T21:08:29.211732419Z" level=info msg="Layer sha256:af48d6dc30ff0ec94f88c52e9e50fcd2cf8ddc8e35be2fbb33b71ea1030e7fa4 cleaned up"
time="2025-08-18T21:08:29.212409878Z" level=info msg="Layer sha256:beed9f759ed535452f01fb3d1678a69a4925b81bd605dd0bdfcddd354f5edc7c cleaned up"
time="2025-08-18T21:08:29.562468586Z" level=info msg="Layer sha256:1c29df7928b8f9d1605eafe107dc451b1b44c4ffd4da71bac7e34da178d87d68 cleaned up"
time="2025-08-18T21:08:29.593935670Z" level=info msg="Layer sha256:90a2bf02e851326fc70d05470553ed33e578342d6e06bfa0cfaf331c4079b7e4 cleaned up"
Reproduction
Steps
I am using the paketo builder which has e.g. a go buildpack:
description = "Ubuntu 22.04 Jammy Jellyfish full image with buildpacks for Apache HTTPD, Go, Java, Java Native Image, .NET, NGINX, Node.js, PHP, Procfile, Python, and Ruby"
[[buildpacks]]
uri = "docker://docker.io/paketobuildpacks/go:4.12.59"
version = "4.12.60"
[[buildpacks]]
uri = "docker://my.registry.org/buildpack/till:0.1.0"
version = "0.1.0"
[lifecycle]
version = "0.20.13"
[[order]]
[[order.group]]
id = "paketo-buildpacks/go"
version = "4.12.59"
[[order]]
[[order.group]]
id = "paketo-buildpacks/go-dist"
version = "2.7.15"
optional = true
[[order.group]]
uri = "buildpack/till"
version = "0.1.0"
[stack]
build-image = "docker.io/paketobuildpacks/build-jammy-full:0.1.96"
id = "io.buildpacks.stacks.jammy"
run-image = "docker.io/paketobuildpacks/runimage:jammy-full"
This is a very simplified example, but the result is basically the error above. In my actual example, there are more buildpacks involved.
Current behavior
pack creates an invalid builder.
Expected behavior
An error saying I shouldn't do this.
Environment
pack info
Pack:
Version: 0.38.2+git-f1c347c.build-6533
OS/Arch: darwin/arm64
Default Lifecycle Version: 0.20.11
Supported Platform APIs: 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 0.10, 0.11, 0.12, 0.13
Config:
default-builder-image = "[REDACTED]"
[[trusted-builders]]
name = "[REDACTED]"
[[trusted-builders]]
name = "[REDACTED]"
[[trusted-builders]]
name = "[REDACTED]"
Just wanted to add, I realize the error is also a PICNIC (me!), but I still think that pack should not allow this.
Just to avoid mis-understandings:
The build that fails is running on linux/amd64. I realize now that my pack report output is from local — but it is the same version we run in CI.
I found the offenders:
tar -tzf ./temp-image/ccb10c19592c9cd4efbf40ec2a35d433a11d3e626f9376583f19e6da53477492 | sort | uniq -c | awk '$1 > 1 {print $1, $2}' | head -20
2 /cnb/buildpacks/paketo-buildpacks_ca-certificates/3.10.3
2 /cnb/buildpacks/paketo-buildpacks_ca-certificates/3.10.3/LICENSE
2 /cnb/buildpacks/paketo-buildpacks_ca-certificates/3.10.3/NOTICE
2 /cnb/buildpacks/paketo-buildpacks_ca-certificates/3.10.3/README.md
2 /cnb/buildpacks/paketo-buildpacks_ca-certificates/3.10.3/bin
2 /cnb/buildpacks/paketo-buildpacks_ca-certificates/3.10.3/bin/build
2 /cnb/buildpacks/paketo-buildpacks_ca-certificates/3.10.3/bin/detect
2 /cnb/buildpacks/paketo-buildpacks_ca-certificates/3.10.3/bin/helper
2 /cnb/buildpacks/paketo-buildpacks_ca-certificates/3.10.3/bin/main
2 /cnb/buildpacks/paketo-buildpacks_ca-certificates/3.10.3/buildpack.toml
2 /cnb/buildpacks/paketo-buildpacks_environment-variables/4.9.2
2 /cnb/buildpacks/paketo-buildpacks_environment-variables/4.9.2/LICENSE
2 /cnb/buildpacks/paketo-buildpacks_environment-variables/4.9.2/NOTICE
2 /cnb/buildpacks/paketo-buildpacks_environment-variables/4.9.2/README.md
2 /cnb/buildpacks/paketo-buildpacks_environment-variables/4.9.2/bin
2 /cnb/buildpacks/paketo-buildpacks_environment-variables/4.9.2/bin/build
2 /cnb/buildpacks/paketo-buildpacks_environment-variables/4.9.2/bin/detect
2 /cnb/buildpacks/paketo-buildpacks_environment-variables/4.9.2/bin/main
2 /cnb/buildpacks/paketo-buildpacks_environment-variables/4.9.2/buildpack.toml
2 /cnb/buildpacks/paketo-buildpacks_image-labels/4.10.1
All of these are included by a composite buildpack, which is modelled after paketo-buildpacks/go and also directly in the builder. So that's why they are "two". The builder has them in different order groups to build apps.
It seems like every other build with --flatten works, and then it doesn't anymore and produces a layer with duplicate file paths.