document "missing /bin/sh" as needing to use entrypoint, instead of cmd

[jmhodges]

This is now a documentation bug. See #62 (comment) for why

With the latest rules_docker (df9d21334be0d45b6995f5f46024a3d2ea22eca9) and bazel 0.5.1, my Go images that are built using a docker_pull of distroless/base and a docker_build target are not working correctly.

When I run my docker_build images using distroless/base locally with docker run without specifying a command argument (that is, using the default command that image is built with) or running it in kubernetes, I get errors about /bin/sh not existing[1][2].

I've put up a reproduction in a GitHub repository. See the README.md there for instructions. I'll describe what's going on a little bit more below.

Previous uses of bazel's docker_build using base images built with the docker command directly did not have this problem. To work around this, I have to duplicate the cmds in my bazel targets and kubernetes Deployments.

(That is, the cmd in the docker_build bazel target is "./hello", and I have to configure that a second time elsewhere in order for these images to work correctly.)

Using the @distroless//base:base external directly (by copying a bunch of the repository set up from distroless's WORKSPACE) causes the same error to occur. (I did not include that version in my reproduction as the bazel BUILD code increase is significant. There is a use_ext branch in my reproduction you can look at, though)

[1] From docker: docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "exec: \"/bin/sh\": stat /bin/sh: no such file or directory".
[2] From kubernetes: Error response from daemon: Container command '/bin/sh' not found or does not exist..

[mattmoor]

So Docker makes copious assumptions about /bin/sh being present (in fact RUN requires it).

Technically cmd is defined as passing your argument to your entrypoint, and since one hasn't been defined it is falling back on /bin/sh -c IIRC.

Try making your go binary the entrypoint instead of cmd?

[jmhodges]

Yeah, k8s and docker are satisfied now. Thanks!

[jmhodges]

Mm, looks like I spoke too soon and forgot to switch back to my branch that used distroless as the base image. That doesn't solve docker. Haven't tried k8s, but I assume it's the same.

[jmhodges]

Yeah, pushed the entrypoint change up to my repro repo and it still fails to run in docker.

[mattmoor]

What if you use the list syntax for entrypoint? entrypoint = ["foo"]?

List vs. Scalar is another fun place Docker assumes the presence of /bin/sh.

This seems to discuss several of these gotchas:

Passing a string will prefix the command with /bin/sh -c. Example: CMD ls /

@dlorenc We should definitely improve the docs to cover this.

[jmhodges]

Yep, making it entrypoint = ["./hello"], instead of entrypoint = "./hello" fixes the problem.

Would definitely love docs on this! Not sure why this kicked in here when previous docker_build's had worked fine

[mattmoor]

Yeah, let's use this issue to track getting docs for this.