Open AdamSimpson opened 5 years ago
I would suggest using https://github.com/openSUSE/umoci instead -- image-tools
has historically had many problems with unpacking things correctly and is the main reason I ended up writing umoci
. It's used by quite a few other projects as well (within openSUSE we use it to build our container images, it's used by LXC as a method of getting OCI support, and there are tools built on-top of umoci
like CISCO's stacker
).
Oh sorry, I didn't notice you already mentioned you tested against umoci
. :wink: I could look into porting image-tools
to umoci
(the underlying libraries should be fairly reusable -- I know a few folks that are reusing it).
Thanks @cyphar, it looks like the Singularity devs are looking into integrating umoci
. From what I could see this should be relatively straight forward.
I have run across an issue in another project that uses
image-tools
, sylabs/singularity#3880, that looks to be caused byimage-tools
failing to unpack files with the correct permissions. The issue appears when building from a Dockerfile when a file is created in one layer and then in a subsequent layer the permissions are modified. In this case it looks like the unpacked image has the original file permissions and the updated permissions are ignored.Dockerfile
Building the image and verifying the permissions
Copy the image with
skopeo
Verify permissions are correct with
umoci
Permissions are incorrect with
image-tools