Changes in extended file attributes counted as waste but not shown as file change #358
Description
To the best of my (limited) knowledge, when copying files in a multi-stage build between stages does not copy (some?) extended attributes. In particular, POSIX file capabilities are not copied but instead get lost. Current build practice thus requires to 1. copy a binary requiring POSIX file capabilities into the final image and then 2. settings the binaries file capabilities. For example (from github.com/thediveo/lxkns):
COPY --from=builder /lxkns /
RUN apk add --no-cache \
libcap && \
setcap "cap_sys_admin,cap_sys_chroot,cap_sys_ptrace,cap_dac_read_search+ep" /lxkns && \
apk del --no-cache libcapPlease note that file capabilities are used in order to run all container processes as non-root with a UID other than 0, but still with the required Linux-kernel capabilities.
divenow sees the seemingly exactly identical file in two different layers of the final image. However, one version has no extended attributes for POSIX file capabilities, while the other has.- however,
divedoes not show the file in its "current layer contents" as changed; thus, when hiding unmodified files, the "wasted duplicate" isn't shown.
dive should not only calculate "waste" based on the file contents, but also on extended file attributes, not least POSIX file capabilities. Also, dive should show files as changed whenever their extended attributes change.