Docker save errors with "could not verify layer data for" when importing from tar

[agners]

I am importing a rootfs from a tar archive of Arch Linux ARM as follows:

curl -L http://de6.mirror.archlinuxarm.org/os/ArchLinuxARM-armv7-latest.tar.gz | \
    gunzip | docker import - myarchimg

And subsequently tried to export it using:

docker save myarchimg > myarchimg.tar

Which fails with:

Error response from daemon: could not verify layer data for: sha256:233ad66ee9e5e3c32d154a463a27dddcb719a6b67c1f5639087e9066cbc20e31. This may be because internal files in the layer store were modified. Re-pulling or rebuilding this image may resolve the issue

I am using Docker on a Arch Linux x86 machine:

$ docker version
Client:
 Version:           18.06.0-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        0ffa8257ec
 Built:             Sun Aug 19 09:47:50 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.0-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       0ffa8257ec
  Built:            Sun Aug 19 09:47:31 2018
  OS/Arch:          linux/amd64
  Experimental:     false

$ docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 18.06.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.18.1-arch1-1-ARCH
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 31.3GiB
Name: archhost
ID: YZFB:6NF6:X34X:65ZW:DD2S:663P:573M:HSR3:GKPJ:IBZR:YAG3:7GQS
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 22
 Goroutines: 43
 System Time: 2018-08-20T13:48:50.006453032+02:00
 EventsListeners: 0
Username: agners
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

It seems to be related to the tar file: It uses extensions which are not known to my GNU tar, which leads to warning such as this during extraction:

tar: Ignoring unknown extended header keyword 'SCHILY.fflags'

When I extract the tarball and recreate it using GNU tar, and then import it, docker save seems to work fine.

Since I do not have control over the tar creation process I cannot easily fix the tar file. It seems not to be possible to filter out/ignore those extended headers using a tar command (other than extracting and recreating). Ideally docker should not fail in case a tar has been imported which does have unknown extended headers.

[thaJeztah]

ping @kolyshkin @dmcgowan ptal