Bug 1821670

Summary: [4.3] Logging Components using relative paths in multistage Dockerfile `COPY --from` commands may break on OCP 4
Product: OpenShift Container Platform Reporter: Jeff Cantrill <jcantril>
Component: LoggingAssignee: Jeff Cantrill <jcantril>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.3.zCC: adam.kaplan, aos-bugs, bparees, erich, jokerman, wsun
Target Milestone: ---   
Target Release: 4.3.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1810713
: 1825275 (view as bug list) Environment:
Last Closed: 2020-05-20 13:47:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1810713    
Bug Blocks: 1810715, 1825275    

Description Jeff Cantrill 2020-04-07 11:58:04 UTC 
+++ This bug was initially created as a clone of Bug #1810713 +++

This is a tracking bug for components that may not be able to immediately migrate their CI to 4.x clusters due a behavior skew between imagebuilder and buildah.

Problem:

In a multistage build, it is common to use the `COPY --from=<alias|index> <src> <dest>` instruction. In imagebuilder relative paths were allowed in the <src> argument - imagebuilder would assume that <src> was relative to the the most recent working directory in the referenced image. Docker and buildah do not make this assumption [1][2].

The following repos (producing images with the referenced Dockerfiles) may be impacted:

openshift/ansible-service-broker › operator/build/olm-testing.Dockerfile
openshift/ansible-service-broker › operator/build/olm-testing.downstream.Dockerfile
openshift/certman-operator › build/Dockerfile
openshift/cloud-ingress-operator › build/Dockerfile
openshift/cluster-kube-apiserver-operator › Dockerfile-origin-release
openshift/cluster-logging-operator › Dockerfile
openshift/configmap-reload › Dockerfile
openshift/configmap-reload › Dockerfile.ocp
openshift/deadmanssnitch-operator › build/Dockerfile
openshift/kube-state-metrics › Dockerfile.ocp
openshift/managed-velero-operator › build/Dockerfile
openshift/multus-cni › webhook/Dockerfile
openshift/openshift-state-metrics › Dockerfile
openshift/pagerduty-operator › build/Dockerfile
openshift/rbac-permissions-operator › build/Dockerfile
openshift/splunk-forwarder-operator › build/Dockerfile

Solution:

Replace the relative path in <src> with an absolute path.

Note that some of these Dockerfiles use environment variables or build args to set an absolute path. If these are utilized, teams should verify that these env vars or build args are set properly in openshift/release.

Additional Info:

[1] https://docs.docker.com/engine/reference/builder/#copy
[2] https://github.com/moby/moby/issues/36643
Comment 4 Anping Li 2020-04-20 00:59:50 UTC 
Move to verified as the code merged.
Comment 10 errata-xmlrpc 2020-05-20 13:47:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2129