`docker load` fails with "no target for symlink layer" on docker-archive images containing symlinked layers (containerd 2.x)

[earies]

Description

We're seeing docker load fail on docker-archive format images that use symlinks for layer deduplication. This worked with containerd 1.x and appears to have regressed with containerd 2.x.

Is this a known issue, or is the new behavior intentional?

$ docker load -i junos-routing-crpd-docker-amd64-24.4R2-S2.6.tgz
no target for symlink layer from "e37c0ca938fe6033a8e7778ce76d7aef2044beaabf05bb07a1ff436d6e13369a/layer.tar" to "e37c0ca938fe6033a8e7778ce76d7aef2044beaabf05bb07a1ff436d6e13369a/.b145b8f10c30476da5083e92fe884fef3b125b73c68257ce48679cff05b8e43a.tar"

The image tarball contains a layer directory where layer.tar is a symlink to a blob at the archive root:

e37c0ca938fe.../layer.tar -> .b145b8f10c30...tar   (symlink)
b145b8f10c30...tar                                  (actual blob, at archive root)
.b145b8f10c30...tar                                 (also at archive root)

The symlink target exists at the top level of the archive but not relative to the layer subdirectory. When containerd extracts the archive to a temp directory and then tries to follow the symlink as a filesystem path, it fails because the relative path doesn't resolve from within the layer directory.

$ docker version
Client:
 Version:           29.2.1
 API version:       1.53
 Go version:        go1.25.6
 Git commit:        e92dd87
 Built:             Tue Feb  3 18:23:30 2026
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          29.2.1
  API version:      1.53 (minimum version 1.44)
  Go version:       go1.25.6
  Git commit:       d105562
  Built:            Tue Feb  3 18:20:36 2026
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          2.2.1
  GitCommit:        091922f03c2762540fd057fba91260237ff86acb
 runc:
  Version:          1.4.0
  GitCommit:        51d5e94601ceffbbd85688df1c928ecccbfa4685
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Image was built w/ podman

Steps to reproduce the issue

1. Build or save any container image using podman that produces a docker-archive with symlinked layers
2. docker load -i

Describe the results you received and expected

See description

What version of containerd are you using?

containerd github.com/containerd/containerd/v2 2.2.1 dea7da5

Any other relevant information

See description

Kernel: 6.19.0
Distro: Slackware64

Show configuration if it is related to CRI plugin.

No response

[kuromii5]

Hey!
I've reproduced this issue (it's a bug probably) and have a fix ready.

If it's intended behavior, I think maintainers will close the issue themself

The error occurs because path.Join(path.Dir(hdr.Name), hdr.Linkname) inside ImportIndex incorrectly resolves symlink targets when a link in a subdirectory points to a blob in the archive root without using ../.

I added a fallback to path.Base(linkname) if the initial lookup in the blobs map fails. This ensures we can find the layer by its filename (digest) even if the recorded path in the symlink is "poorly" formed.

Testing
I've added a table-driven regression unit-test covering both standard and nested symlink structures.

I'll submit a Pull Request shortly. Since this is my first contribution here, I’d appreciate a review of the unit-test setup to ensure it aligns with best practices.