Skip to content
This repository was archived by the owner on Jun 3, 2025. It is now read-only.
This repository was archived by the owner on Jun 3, 2025. It is now read-only.

Layer tar files contain entry for root (/) #1375

Open
osscontainertools/kaniko
#183
#3425
Open
Layer tar files contain entry for root (/)#1375
osscontainertools/kaniko
#183
#3425
Labels
area/layersdiffers-from-dockermore-information-neededpriority/p3agreed that this would be good to have, but no one is available at the moment.uncategorizedworks-with-docker
@neggert

Description

@neggert
neggert
opened on Aug 7, 2020

Actual behavior
Layer tar files contain a header for the path /, which looks like an absolute path name and creates problems for the internal non-Docker container runtime we use. Images created using Docker work just fine.

Expected behavior
Tar files should not contain absolute paths. GNU tar drops the leading / from absolute paths, so this mostly works, but other tools fail to extract images created by Kaniko.

To Reproduce
Use this Dockerfile:

FROM debian:buster

RUN apt-get update && \
    apt-get install -y --no-install-recommends vim && \
    rm -rf /var/lib/apt/lists/*

Build with kaniko, saving the image locally so that we can inspect it.

docker run -v $PWD:/workspace gcr.io/kaniko-project/executor@sha256:d60705cb55460f32cee586570d7b14a0e8a5f23030a0532230aaf707ad05cecd \
  --dockerfile /workspace/Dockerfile --context dir:///workspace/ --tarPath /workspace/image.tar \
  --no-push --destination=image

Extract and inspect the image. Observe the first entry: /.

$ tar xf image.tar
$ tar --list --verbose --file d201a7839a4aa3a639e61c9782ac73e714b1b2acd3919a6774c29536cdd395c7.tar.gz | head
drwxr-xr-x  0 0      0           0 Aug  7 13:52 /
drwxr-xr-x  0 0      0           0 Aug  7 13:52 etc/
drwxr-xr-x  0 0      0           0 Aug  7 13:52 etc/alternatives/
lrwxrwxrwx  0 0      0           0 Aug  7 13:52 etc/alternatives/editor -> /usr/bin/vim.basic
lrwxrwxrwx  0 0      0           0 Aug  7 13:52 etc/alternatives/editor.1.gz -> /usr/share/man/man1/vim.1.gz
lrwxrwxrwx  0 0      0           0 Aug  7 13:52 etc/alternatives/editor.da.1.gz -> /usr/share/man/da/man1/vim.1.gz
lrwxrwxrwx  0 0      0           0 Aug  7 13:52 etc/alternatives/editor.de.1.gz -> /usr/share/man/de/man1/vim.1.gz
lrwxrwxrwx  0 0      0           0 Aug  7 13:52 etc/alternatives/editor.fr.1.gz -> /usr/share/man/fr/man1/vim.1.gz
lrwxrwxrwx  0 0      0           0 Aug  7 13:52 etc/alternatives/editor.it.1.gz -> /usr/share/man/it/man1/vim.1.gz
lrwxrwxrwx  0 0      0           0 Aug  7 13:52 etc/alternatives/editor.ja.1.gz -> /usr/share/man/ja/man1/vim.1.gz

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/layersdiffers-from-dockermore-information-neededpriority/p3agreed that this would be good to have, but no one is available at the moment.uncategorizedworks-with-docker

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions