Difference between docker build and kaniko executor when copying symlinks

[gokuatkai]

Actual behavior
When having a symlink in the context dir that point to a file to a subfolder and adding it with COPY, docker build copy the content of the file but kaniko executor copy the symlink instead.

Expected behavior
Kaniko executor will copy the content of the file as docker build does.

To Reproduce
Steps to reproduce the behavior:
Given the following environment:

mkdir some_path
echo "Hello world" > some_path/the_file
ln -s some_path/the_file the_symlink

and the following dockerfile:

FROM busybox
COPY the_symlink /the_file
RUN cat /the_file

Here is the docker build output

$ docker build -t test . --no-cache
Sending build context to Docker daemon  4.096kB
Step 1/3 : FROM busybox
 ---> 018c9d7b792b
Step 2/3 : COPY the_symlink /the_file
 ---> d2c2e851cdb1
Step 3/3 : RUN cat /the_file
 ---> Running in f1d35bc57b70
hello world
Removing intermediate container f1d35bc57b70
 ---> 471fcd659277
Successfully built 471fcd659277
Successfully tagged test:latest

And now using Kaniko:

/tests # /kaniko/executor --no-push --context .
INFO[0000] Retrieving image manifest busybox
INFO[0001] Retrieving image manifest busybox
INFO[0002] Built cross stage deps: map[]
INFO[0002] Retrieving image manifest busybox
INFO[0003] Retrieving image manifest busybox
INFO[0004] Executing 0 build triggers
INFO[0004] Unpacking rootfs as cmd COPY the_symlink /the_file requires it.
INFO[0005] COPY the_symlink /the_file
INFO[0005] Resolving 1 paths
INFO[0005] Taking snapshot of files...
INFO[0005] RUN cat /the_file
INFO[0005] Taking snapshot of full filesystem...
INFO[0005] Resolving 430 paths
INFO[0005] cmd: /bin/sh
INFO[0005] args: [-c cat /the_file]
INFO[0005] Running: [/bin/sh -c cat /the_file]
cat: can't open '/the_file': No such file or directory
error building image: error building stage: failed to execute command: waiting for process to exit: exit status 1

Additional Information

• Dockerfile

FROM busybox
COPY the_symlink /the_file
RUN cat /the_file

• Build Context
  you need a file that is a symlink to another one (see reproduce part above)
• Kaniko Image (fully qualified with digest)
  gcr.io/kaniko-project/executor:debug-v0.23.0 (id: 390df83ff1ab)

[tejal29]

We have had a lot of debate on this in previous issues like #915 and #1038

In #1038, user mentioned, docker copies a symlink or else their image size is doubled.
I can really appreciate some help in this regard.
Can you verify what does docker do if both

1. symlink and original file are copied?
2. Only symlink is copied,

It would help us not bring in a regression.

Thanks
Tejal

[gokuatkai]

From what I have tested:

1. symlinks are never copied, tested with COPY/ADD, only destination file is (with its content)
2. the test above is covering that already, I guess?
3. if the symlink is in a folder that is being copied, then the symlink is added:

FROM busybox
ADD tests /tests
RUN ls -alh /tests && cat /tests/the_symlink

.
├── Dockerfile
└── tests
    ├── some_folder
    │   └── the_file
    └── the_symlink -> some_folder/the_file

 ubuntu@dupa  ~/tests  docker build -t test . --no-cache
Sending build context to Docker daemon  4.608kB
Step 1/3 : FROM busybox
 ---> 018c9d7b792b
Step 2/3 : ADD dupa /dupa
 ---> 9ffebb630bc8
Step 3/3 : RUN ls -alh /dupa && cat /dupa/the_symlink
 ---> Running in a0ee0c6f59f4
total 12K
drwxr-xr-x    3 root     root        4.0K Aug 14 08:35 .
drwxr-xr-x    1 root     root        4.0K Aug 14 08:35 ..
drwxrwxr-x    2 root     root        4.0K Aug 13 12:12 some_folder
lrwxrwxrwx    1 root     root          20 Aug 13 12:13 the_symlink -> some_folder/the_file
hello world
Removing intermediate container a0ee0c6f59f4
 ---> 20b610e0877d
Successfully built 20b610e0877d
Successfully tagged test:latest

tricky one

[RoSk0]

Might be related #1406

[fhossfel]

I have another real world example to trigger this bug. I am using git-sync to retrieve the sources for the build. So I end up with something like this in my Kaniko pod:

# ls -l /src
-rwxr-xr-x    1 65533    nogroup       1530 Feb 15 16:28 my_app -> rev-13ae93985486f802c884339988aade8273b84fc8
-rwxr-xr-x    1 65533    nogroup       1359 Feb 15 16:28 rev-13ae93985486f802c884339988aade8273b84fc8

In /src/my_app/Dockerfile I have a line:

WORKDIR /src
COPY . .

which will copy the content of /srv/rev-13ae93985486f802c884339988aade8273b84fc8 to the /src directory of the new image

However, when I run Kaniko with "--context=/src/my_app" the symlink is copied to the target folder so I end up with

#  ls -l /src
 -rwxr-xr-x    1 65533    nogroup       1530 Feb 15 16:28 my_app -> rev-13ae93985486f802c884339988aade8273b84fc8

Note: The symlink is not part of what is actually copied. I is just the location under which the files to copy are accessed.

P.S.: COPY * ./ shows the same behavior so does ADD.