kaniko fails with a symbolic link pointing to itself

[lxylxy123456]

Actual behavior When the docker image contains a symbolic to itself (e.g. ln -s e e, where e is the file name located in /jkl/), kaniko fails by printing error message "ERRO[0012] couldn't eval /jkl/e with link /jkl/e", and the image pushed to the registry is incomplete.

Expected behavior This error should not happen, and all files should be there.

To Reproduce Steps to reproduce the behavior:

1. Follow the tutorial, but change the Dockerfile to the one below.
2. kubectl logs kaniko shows (note the last line is an error):

   INFO[0001] Retrieving image manifest ubuntu             
   INFO[0001] Retrieving image ubuntu                      
   INFO[0002] Retrieving image manifest ubuntu             
   INFO[0002] Retrieving image ubuntu                      
   INFO[0003] Built cross stage deps: map[]                
   INFO[0003] Retrieving image manifest ubuntu             
   INFO[0003] Retrieving image ubuntu                      
   INFO[0004] Retrieving image manifest ubuntu             
   INFO[0004] Retrieving image ubuntu                      
   INFO[0005] Executing 0 build triggers                   
   INFO[0005] Unpacking rootfs as cmd RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l requires it. 
   INFO[0010] RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l 
   INFO[0010] Taking snapshot of full filesystem...        
   INFO[0011] cmd: /bin/sh                                 
   INFO[0011] args: [-c mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l] 
   INFO[0011] Running: [/bin/sh -c mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l] 
   total 4
   -rw-r--r-- 1 root root 2 Aug 24 23:38 a
   lrwxrwxrwx 1 root root 1 Aug 24 23:38 b -> a
   lrwxrwxrwx 1 root root 1 Aug 24 23:38 c -> d
   lrwxrwxrwx 1 root root 1 Aug 24 23:38 e -> e
   INFO[0011] Taking snapshot of full filesystem...        
   ERRO[0012] couldn't eval /jkl/e with link /jkl/e        

3. If I pull the container from docker hub, I see (note that c -> d is gone):

   root@e059594cfdff:/# ls
   bin   dev  home  lib    lib64   media  opt   root  sbin  sys  usr
   boot  etc  jkl   lib32  libx32  mnt    proc  run   srv   tmp  var
   root@e059594cfdff:/# ls jkl
   a  b  e
   root@e059594cfdff:/# ls jkl -l
   total 4
   -rw-r--r-- 1 root root 2 Aug 24 23:38 a
   lrwxrwxrwx 1 root root 1 Aug 24 23:38 b -> a
   lrwxrwxrwx 1 root root 1 Aug 24 23:38 e -> e
   root@e059594cfdff:/# 

   Expected (this is the result of building the image with docker)

   $ docker run --rm -it my-container sh
   # ls
   bin   dev  home  lib    lib64   media  opt   root  sbin  sys  usr
   boot  etc  jkl   lib32  libx32  mnt    proc  run   srv   tmp  var
   # ls jkl
   a  b  c  e
   # ls -l jkl
   total 4
   -rw-r--r--. 1 root root 2 Aug 25 01:46 a
   lrwxrwxrwx. 1 root root 1 Aug 25 01:46 b -> a
   lrwxrwxrwx. 1 root root 1 Aug 25 01:46 c -> d
   lrwxrwxrwx. 1 root root 1 Aug 25 01:46 e -> e
   # 
   $ 

Additional Information

• Dockerfile

  FROM ubuntu
  RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l

• Build Context None

• Kaniko Image (fully qualified with digest)

  gcr.io/kaniko-project/executor:latest
  Digest: sha256:e36c9fa99279217c4bb8ee172819b441c3ca8ef946dc0e28b21721eefb2ba70a

  Triage Notes for the Maintainers

  Description	Yes/No
  Please check if this a new feature you are proposing	- [ ]
  Please check if the build works in docker but not in kaniko	- [x]
  Please check if this error is seen when you use --cache flag	- [x]
  Please check if your dockerfile is a multistage dockerfile	- [ ]

[lxylxy123456]

Note that the container pushed to Docker Hub is not deterministic. Sometimes it is missing other files. For example, during another run I get this container (this time a and b -> a are missing)

root@2c3f4ff954c6:/# ls jkl
c  e
root@2c3f4ff954c6:/# ls jkl -l
total 0
lrwxrwxrwx. 1 root root 1 Aug 25 01:41 c -> d
lrwxrwxrwx. 1 root root 1 Aug 25 01:41 e -> e
root@2c3f4ff954c6:/# exit

[RoSk0]

Might be related #1406

[snukone]

Maybe we have had the same problem here:

Our problem & solution was: We run the kaniko executor binary in an different image than the google default docker image. Our image is based on SLES. The Image we wanted to build with kaniko was based on RHEL. Since we changed the RHEL based Dockerimage also to SLES, the full filesystem snapshot is running successful.

We are using: kaniko 1.0.0 tekton 0.14.2 sles 15sp1:1.20.37 rhel Red Hat Enterprise Linux Server release 7.7 (Maipo)

[jbg]

Not only circular links, but also (some?) broken links cause this behaviour.

If there's a symlink /a -> /b/c/d and the directory /b/c doesn't exist, an error is printed couldn't eval /a with link /a and not only the symlink gets left out, but also random other files get left out of the container.

[mandric]

I think latest kaniko doesn't have this problem?

[jia2]

I think latest kaniko doesn't have this problem?

I tested with 1.9.1 and this issue still exists.

[m00lecule]

Reproduced with gcr.io/kaniko-project/executor:v1.9.2-debug

[moret]

An updated reproduction with https://github.com/GoogleContainerTools/kaniko/releases/tag/v1.16.0:

$ cat Dockerfile
FROM alpine

RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l

$ docker rmi -f rep
(...)

$ docker run \
-v `pwd`:/workspace \
gcr.io/kaniko-project/executor:v1.16.0 \
--dockerfile /workspace/Dockerfile \
--destination rep \
--no-push --tarPath /workspace/rep.tar

(...)
INFO[0002] RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l
INFO[0002] Initializing snapshotter ...
INFO[0002] Taking snapshot of full filesystem...
INFO[0002] Cmd: /bin/sh
INFO[0002] Args: [-c mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l]
INFO[0002] Running: [/bin/sh -c mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l]
total 4
-rw-r--r--    1 root     root             2 Sep 27 13:24 a
lrwxrwxrwx    1 root     root             1 Sep 27 13:24 b -> a
lrwxrwxrwx    1 root     root             1 Sep 27 13:24 c -> d
lrwxrwxrwx    1 root     root             1 Sep 27 13:24 e -> e
INFO[0002] Taking snapshot of full filesystem...
ERRO[0002] Couldn't eval /jkl/e with link /jkl/e
INFO[0003] Skipping push to container registry due to --no-push flag
(...)

$ docker image load -i rep.tar
(...)

$ rm -rf rep.tar

$ docker run --rm --name rep rep ls -l jkl
total 4
-rw-r--r--    1 root     root             2 Sep 27 13:24 a
lrwxrwxrwx    1 root     root             1 Sep 27 13:24 b -> a
lrwxrwxrwx    1 root     root             1 Sep 27 13:24 e -> e

while with Docker:

$ docker rmi -f rep
(...)

$ docker build -t rep .
(...)
Step 2/2 : RUN mkdir /jkl; cd /jkl; echo 1 > a ; ln -s a b; ln -s d c; ln -s e e; ls -l
 ---> Running in 637034289a83
total 4
-rw-r--r--    1 root     root             2 Sep 27 13:30 a
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 b -> a
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 c -> d
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 e -> e
(...)

$ docker run --rm --name rep rep ls -l jkl
total 4
-rw-r--r--    1 root     root             2 Sep 27 13:30 a
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 b -> a
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 c -> d
lrwxrwxrwx    1 root     root             1 Sep 27 13:30 e -> e

[algo7]

any update on this?

[zhangguanzhang]

any update on this?

[jack80342]

this？