-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker messes up /etc symlink in an imported filesystem #42706
Comments
Thanks for reporting. Could you also add the full output of So, what I think happens here, is that the image may have the symlink, but when starting a container from the image, the symlink will be masked by mounts set up for the container's networking; moby/container/container_unix.go Line 64 in 9674540
Each container (by default) gets a generated docker run --rm alpine sh -c 'mount | grep etc'
/dev/vda1 on /etc/resolv.conf type ext4 (rw,relatime)
/dev/vda1 on /etc/hostname type ext4 (rw,relatime)
/dev/vda1 on /etc/hosts type ext4 (rw,relatime) The That said, I'd somewhat expect symlinks to be resolved when creating those mounts. Doing a quick test; Create an image that has a symlinked directory docker build -t foo -<<EOF
FROM alpine
RUN mkdir /actual-destination && ln -s /actual-destination /destination
EOF Running a container that bind-mounts a file within docker run --rm -v $(pwd)/somefile.txt:/destination/somefile.sh foo sh -c 'ls -l /destination /destination/ /actual-destination/'
lrwxrwxrwx 1 root root 19 Aug 3 09:42 /destination -> /actual-destination
/actual-destination/:
total 4
-rwxr-xr-x 1 root root 1236 Jul 29 23:00 somefile.sh
/destination/:
total 4
-rwxr-xr-x 1 root root 1236 Jul 29 23:00 somefile.sh That said, it's possible the classic (non-buildkit) builder creates a container for the |
I have added output of |
Did some quick tests to try to narrow down the issue (FWIW; still a bit curious what your use-case is, but I got a bit intrigued as to "why" these mounts don't use the symlink 😂) Create a directory to test in, pull the mkdir -p test/temp && cd test
docker pull centos:7
docker save -o img.tar centos:7
tar -xf img.tar Extract the image, and find the layer we're interested in (it's a single-layer image); ls -l
total 206764
-rw-r--r-- 1 root root 2755 Nov 14 2020 8652b9f0cb4c0599575e5a003f5906876e10c1ceb2ab9fe1786712dac14a50cf.json
drwxr-xr-x 2 root root 4096 Nov 14 2020 cf6619f89e575099622d9f069d0d94f21460504754861e2125b36313bbd34188
-rw-r--r-- 1 root root 13 Aug 7 2019 Dockerfile
-rw------- 1 root root 211696640 Aug 4 16:31 img.tar
-rw-r--r-- 1 root root 197 Jan 1 1970 manifest.json
-rw-r--r-- 1 root root 84 Jan 1 1970 repositories
drwxr-xr-x 2 root root 4096 Aug 4 16:34 temp
ls -l cf6619f89e575099622d9f069d0d94f21460504754861e2125b36313bbd34188
total 206736
-rw-r--r-- 1 root root 1954 Nov 14 2020 json
-rw-r--r-- 1 root root 211685376 Nov 14 2020 layer.tar
-rw-r--r-- 1 root root 3 Nov 14 2020 VERSION Extract the layer in the cd temp
tar -xvf ../cf6619f89e575099622d9f069d0d94f21460504754861e2125b36313bbd34188/layer.tar Move the mv etc/ media/
ln -s media/etc etc
ls -l
total 64
-rw-r--r-- 1 root root 12114 Nov 13 2020 anaconda-post.log
lrwxrwxrwx 1 root root 7 Nov 13 2020 bin -> usr/bin
drwxr-xr-x 2 root root 4096 Nov 13 2020 dev
lrwxrwxrwx 1 root root 9 Aug 4 16:35 etc -> media/etc
drwxr-xr-x 2 root root 4096 Apr 11 2018 home
lrwxrwxrwx 1 root root 7 Nov 13 2020 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Nov 13 2020 lib64 -> usr/lib64
drwxr-xr-x 3 root root 4096 Aug 4 16:35 media
drwxr-xr-x 2 root root 4096 Apr 11 2018 mnt
drwxr-xr-x 2 root root 4096 Apr 11 2018 opt
drwxr-xr-x 2 root root 4096 Nov 13 2020 proc
dr-xr-x--- 2 root root 4096 Nov 13 2020 root
drwxr-xr-x 11 root root 4096 Nov 13 2020 run
lrwxrwxrwx 1 root root 8 Nov 13 2020 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 Apr 11 2018 srv
drwxr-xr-x 2 root root 4096 Nov 13 2020 sys
drwxrwxrwt 7 root root 4096 Nov 13 2020 tmp
drwxr-xr-x 13 root root 4096 Nov 13 2020 usr
drwxr-xr-x 18 root root 4096 Nov 13 2020 var Create a tarball of the new rootfs, and save it as tar -czf ../new-image.tgz . Build a cd ../
DOCKER_BUILDKIT=1 docker build -t newimage -f- . <<EOF
FROM scratch
ADD new-image.tgz /
EOF Run a container from the image, and (as reported), docker run --rm newimage ls -l /
total 56
-rw-r--r-- 1 0 0 12114 Nov 13 2020 anaconda-post.log
lrwxrwxrwx 1 0 0 7 Nov 13 2020 bin -> usr/bin
drwxr-xr-x 5 0 0 340 Aug 4 16:39 dev
drwxr-xr-x 2 0 0 4096 Aug 4 16:39 etc
drwxr-xr-x 2 0 0 4096 Apr 11 2018 home
lrwxrwxrwx 1 0 0 7 Nov 13 2020 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 Nov 13 2020 lib64 -> usr/lib64
drwxr-xr-x 3 0 0 4096 Aug 4 16:35 media
drwxr-xr-x 2 0 0 4096 Apr 11 2018 mnt
drwxr-xr-x 2 0 0 4096 Apr 11 2018 opt
dr-xr-xr-x 109 0 0 0 Aug 4 16:39 proc
dr-xr-x--- 2 0 0 4096 Nov 13 2020 root
drwxr-xr-x 11 0 0 4096 Nov 13 2020 run
lrwxrwxrwx 1 0 0 8 Nov 13 2020 sbin -> usr/sbin
drwxr-xr-x 2 0 0 4096 Apr 11 2018 srv
dr-xr-xr-x 13 0 0 0 Aug 4 16:38 sys
drwxrwxrwt 7 0 0 4096 Nov 13 2020 tmp
drwxr-xr-x 13 0 0 4096 Nov 13 2020 usr
drwxr-xr-x 18 0 0 4096 Nov 13 2020 var As before in this thread, docker run --rm newimage sh -c 'mount | grep /etc'
/dev/vda1 on /etc/resolv.conf type ext4 (rw,relatime,data=ordered)
/dev/vda1 on /etc/hostname type ext4 (rw,relatime,data=ordered)
/dev/vda1 on /etc/hosts type ext4 (rw,relatime,data=ordered) To narrow down "where" things happen, I have a look at the image we built, so I save the image to a tar ( docker save -o newimage-saved.tar newimage:latest
mkdir newimage-extracted && cd newimage-extracted
tar -xf ../newimage-saved.tar Find the location of the image's layer: ls -l
total 16
drwxr-xr-x 2 root root 4096 Aug 4 16:38 64d5743bed13da26b52d0967fb64faecb9f3a4c6d9c1d5997ad17d00e1226a67
-rw-r--r-- 1 root root 451 Aug 4 16:38 aaa80cbebf7fd4e9582b45bd520040f2ad81186eb866f52656574ef41c2d0c6b.json
-rw-r--r-- 1 root root 204 Jan 1 1970 manifest.json
-rw-r--r-- 1 root root 91 Jan 1 1970 repositories
ls -l 64d5743bed13da26b52d0967fb64faecb9f3a4c6d9c1d5997ad17d00e1226a67
total 206732
-rw-r--r-- 1 root root 772 Aug 4 16:38 json
-rw-r--r-- 1 root root 211680768 Aug 4 16:38 layer.tar
-rw-r--r-- 1 root root 3 Aug 4 16:38 VERSION Create a new directory, and extract the image layer into that directory: mkdir layer-extracted && cd layer-extracted
tar -xf ../64d5743bed13da26b52d0967fb64faecb9f3a4c6d9c1d5997ad17d00e1226a67/layer.tar List what's in there, and notice that the image itself does have the symlink: ls -l
total 64
-rw-r--r-- 1 root root 12114 Nov 13 2020 anaconda-post.log
lrwxrwxrwx 1 root root 7 Nov 13 2020 bin -> usr/bin
drwxr-xr-x 2 root root 4096 Nov 13 2020 dev
lrwxrwxrwx 1 root root 9 Aug 4 16:35 etc -> media/etc
drwxr-xr-x 2 root root 4096 Apr 11 2018 home
lrwxrwxrwx 1 root root 7 Nov 13 2020 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Nov 13 2020 lib64 -> usr/lib64
drwxr-xr-x 3 root root 4096 Aug 4 16:35 media
drwxr-xr-x 2 root root 4096 Apr 11 2018 mnt
drwxr-xr-x 2 root root 4096 Apr 11 2018 opt
drwxr-xr-x 2 root root 4096 Nov 13 2020 proc
dr-xr-x--- 2 root root 4096 Nov 13 2020 root
drwxr-xr-x 11 root root 4096 Nov 13 2020 run
lrwxrwxrwx 1 root root 8 Nov 13 2020 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 Apr 11 2018 srv
drwxr-xr-x 2 root root 4096 Nov 13 2020 sys
drwxrwxrwt 7 root root 4096 Nov 13 2020 tmp
drwxr-xr-x 13 root root 4096 Nov 13 2020 usr
drwxr-xr-x 18 root root 4096 Nov 13 2020 var And the ls -l etc/
total 1056
-rw-r--r-- 1 root root 16 Nov 13 2020 adjtime.rpmsave
-rw-r--r-- 1 root root 1529 Apr 1 2020 aliases
drwxr-xr-x 2 root root 4096 Nov 13 2020 alternatives
drwxr-xr-x 2 root root 4096 Nov 13 2020 bash_completion.d
... So from the above, it looks like:
So to resolve this, it would be needed to find out what's different between the two; do they follow different code paths? It's possible that these default mounts are created earlier in the container's lifecycle; perhaps they're created from the host's namespace before the container is started, then moved into the container's namespace. |
Thank you for reproducing this as well. I had a doubt that something is off with my system but it seems not. |
Please, see the reproducer in the image below (the second screen on the right is continuation of the first one on the left). It seems docker cannot cope with
/etc
being a symlink to somewhere in an imported filesystem (e.g./etc -> media/etc
as in the reproducer). It replaces it with a normal directory with a few generated files (hosts, hostname, resolv.conf, mtab
) at some point.(Please, forgive me the embarrassing problems with permissions along the way but I think they didn't affect anything).
Docker version 20.10.6, build 370c289
(tried alsoDocker version 20.10.7, build f0df350
with the same result)More info:
The text was updated successfully, but these errors were encountered: