Operation not permitted when trying to follow symlinks that have been replaced (0.7.0 and newer)

[travisreed-wf]

Summary:

In versions of container-diff that are newer than 0.6.2 we hit a permissions issue when container diff improperly follows symlinks.

container-diff analyze daemon://sha256:7a62e2de9312f9e2f445c950523c5100358fa84fac24fc8bca2831078962f705 --type=apt --type=rpm --type=node --type=pip
Retrieving image sha256:7a62e2de9312f9e2f445c950523c5100358fa84fac24fc8bca2831078962f705 from source Local Daemon
ERRO[0000] Error creating file /var/folders/bf/6ntcfntx7mn1njynfg2jb9h00000gp/T/sha2567a62e2de9312f9e2f445c950523c5100358fa84fac24fc8bca2831078962f705603666088/bin/base64 open /var/folders/bf/6ntcfntx7mn1njynfg2jb9h00000gp/T/sha2567a62e2de9312f9e2f445c950523c5100358fa84fac24fc8bca2831078962f705603666088/bin/base64: operation not permitted 
ERRO[0000] Error processing image: open /var/folders/bf/6ntcfntx7mn1njynfg2jb9h00000gp/T/sha2567a62e2de9312f9e2f445c950523c5100358fa84fac24fc8bca2831078962f705603666088/bin/base64: operation not permitted 

Steps to reproduce

Create the following dockerfile, then run container-diff against it

FROM alpine:3.7
RUN apk --no-cache add --update bash ca-certificates coreutils && update-ca-certificates

Additional Info:

In the stock alpine:3:7 the base64 is a symlink to /bin/busybox

When we apt-install bash the symlink for base64 and other commands is replaced with actual files.

When we run container diff on that image we get the following permissions error, which we believe is caused by container-diff improperly copying files previously symlinked files out of the image.

Additionally, if I perform an ls from my local machine (not from the container) it seems like the file it copied out of the image gets symlinked to /bin/busybox, also on my mac. Inside the container it should be a file though, not a symlink. Container-diff should not be trying to analyze files outside of the docker layers.

$ ls -al /var/folders/bf/6ntcfntx7mn1njynfg2jb9h00000gp/T/sha2567a62e2de9312f9e2f445c950523c5100358fa84fac24fc8bca2831078962f705603666088/bin/base64
lrwxr-xr-x  1 matthewbalvanz  staff  12 May 21 17:12 /var/folders/bf/6ntcfntx7mn1njynfg2jb9h00000gp/T/sha2567a62e2de9312f9e2f445c950523c5100358fa84fac24fc8bca2831078962f705603666088/bin/base64 -> /bin/busybox

[nkubala]

Hey @travisreed-wf, thanks for filing. I'm actually unable to reproduce this issue, both on v0.7.0 and at head on both Linux and Mac. Can you give me a little more information on the version and platform you used to get this?

[travisreed-wf]

I was hitting this on 0.7.0, 0.8.0, and 0.9.0

I will try on 0.10.0 today and get back to you. Thank you for looking into this!

[travisreed-wf]

I have confirmed that we no longer hit the issue in 0.10.0.

Thanks!