Red Hat Bugzilla – Bug 1307049
Docker's ADD can't handle a local tar archive with file capabilities in xattr
Last modified: 2016-08-21 06:19:33 EDT
Description of problem:
Building a base container from scratch with a tar archive fails if the archive contains file capabilities.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a base disk image with livemedia-creator
example commands used are available on github:
2. Create a container from the resulting tarball via a very basic Dockerfile. Something like the following:
ADD centos-img.tar.xz /
docker run --rm -t centostest .
3. run the container and observe that the capabilities are stripped from the iputils package.
[root@73ba9b203c2b /]# rpm -V iputils
4. Create the archive with tar directly:
kpartx -a /var/tmp/centos-7-root
mount /dev/mapper/loop0p1 /mnt
tar -C /mnt/ -jcf centos-img.tar.bz2 .
Build docker container using this tarball, just as above.
Same output from running rpm -V iputils in this container.
[root@92bca8435dd8 /]# rpm -V iputils
5. Create archive with --xattr, to maintain file capabilities
tar --xattrs -C /mnt/ -jcf centos-img.tar.bz2 .
Build docker container using this tarball:
Note that the resulting container is only slightly larger than the tarball itself.
6. Examine the contents of the docker container:
docker create --name wtf c7build
[root@lappy ~]# docker export wtf | tar -t
Docker's for some reason not extracted this archive, but instead stuffed it inside the container which won't work.
Validate that the capabilities are intact by importing the tar archive directly
cat centos-img.tar.bz2 | docker import - capvalidate
docker run --rm -it capvalidate /bin/bash
[root@cf2021d70a42 /]# rpm -V iputils
containers including files with capabilities (like ping) don't get unpacked via an ADD in a dockerfile
ADD unpacks the tarball and a base container is happily created.
This looks like golang's tar which is what docker uses I believe does not support xattrs.
*** Bug 1307051 has been marked as a duplicate of this bug. ***
*** Bug 1307047 has been marked as a duplicate of this bug. ***
surely it does. Alexl added that support.
Antonio have you been working on this?
Fixed in docker-1.10