Bug 1810181 - Components using globs in Dockerfile COPY commands may break on OCP 4
Summary: Components using globs in Dockerfile COPY commands may break on OCP 4
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Release
Version: 4.1.z
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 4.5.0
Assignee: Ben Parees
QA Contact: Wei Sun
URL:
Whiteboard:
: 1813502 (view as bug list)
Depends On:
Blocks: 1810182
TreeView+ depends on / blocked
 
Reported: 2020-03-04 16:41 UTC by Adam Kaplan
Modified: 2020-06-05 18:00 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1810182 (view as bug list)
Environment:
Last Closed: 2020-06-05 18:00:45 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-etcd-operator pull 287 0 None closed Bug 1810181: Remove wildcard COPY form Docker 2020-06-03 13:37:13 UTC
Github openshift cluster-kube-apiserver-operator pull 802 0 None closed Bug 1810181: Components using globs in Dockerfile COPY commands may break on OCP 4 2020-06-03 13:37:13 UTC
Github openshift cluster-kube-controller-manager-operator pull 364 0 None closed Bug 1810181: Update dockerfile to address buildah COPY bug 2020-06-03 13:37:12 UTC
Github openshift cluster-kube-controller-manager-operator pull 369 0 None closed Bug 1810181: Remove wildcard COPY form Dockerfile 2020-06-03 13:37:12 UTC
Github openshift cluster-kube-scheduler-operator pull 214 0 None closed Bug 1810181: Remove wildcard COPY form Dockerfile 2020-06-03 13:37:12 UTC
Github openshift cluster-logging-operator pull 394 0 None closed Bug 1810709: fix Dockerfile to be buildable by buildah 2020-06-03 13:37:12 UTC
Github openshift router pull 99 0 None closed Bug 1813507: Wildcard is not needed to copy subdirectory in dockerfile 2020-06-03 13:37:12 UTC

Description Adam Kaplan 2020-03-04 16:41:04 UTC
This is a tracking bug for components that may not be able to immediately migrate their CI to 4.x clusters due a behavior skew between imagebuilder and buildah.

Docker has a longstanding bug using globs in COPY directives (i.e. COPY foo/dir/* /tmp/dir/ ). If the directory structure includes subdirectories, these subdirectories are not present in the destination [1][2]. Buildah - which is used to run builds in OCP 4.x - inherited this bug to maintain compatibility with Docker.

Imagebuilder - which is used to run multistage Dockerfile builds on OCP 3.11 - does not have this bug. Teams migrating their CI jobs from our 3.11 cluster to 4.x clusters may encounter failures if their build relies on glob copies that preserve the subdirectory structure.

The following repos (producing images with the referenced Dockerfiles) may be impacted:

openshift/cluster-etcd-operator › Dockerfile.rhel7
openshift/cluster-image-registry-operator › Dockerfile
openshift/cluster-kube-apiserver-operator › Dockerfile.rhel7
openshift/cluster-kube-controller-manager-operator › Dockerfile.rhel7
openshift/cluster-kube-scheduler-operator › Dockerfile.rhel7
openshift/cluster-logging-operator › Dockerfile
openshift/cluster-nfd-operator › Dockerfile.rhel7
openshift/cluster-samples-operator › Dockerfile.rhel7
openshift/loki › fluentd/fluent-plugin-grafana-loki/Dockerfile
openshift/must-gather › Dockerfile
openshift/must-gather › Dockerfile.rhel7
openshift/ocp-release-operator-sdk › ci/dockerfiles/ansible-e2e-hybrid.Dockerfile
openshift/ocp-release-operator-sdk › ci/dockerfiles/ansible.Dockerfile
openshift/ocs-operator › must-gather/Dockerfile
openshift/origin-aggregated-logging › curator/Dockerfile
openshift/origin-aggregated-logging › curator/Dockerfile.centos7
openshift/prometheus-operator › scripts/tooling/Dockerfile
openshift/router › images/router/haproxy/Dockerfile
openshift/router › images/router/haproxy/Dockerfile.rhel
openshift/router › images/router/nginx/Dockerfile
openshift/router › images/router/nginx/Dockerfile.rhel
openshift/svt › networking/synthetic/stac-s2i-builder-image/Dockerfile
openshift/windows-machine-config-operator › build/Dockerfile


Solution:

When possible, use simple directory copies with a trailing slash in the destination instead of globs. This will copy the directory and its subdirectories to the destination.

Example:

```
COPY foo/dir /tmp/
```

will move the contents of “dir” to /tmp/dir. This may require you to update the source file structure so that the source and destination directories align.

Actions:

1. Review the Dockerfiles used to build your images if your Dockerfile is referenced above.
2. Test your Dockerfile build with a current version of Docker or buildah. If your build fails with Docker/buildah, replace glob usage with simple directory file copies.
3. Submit a PR with your changes, referencing the appropriate BZ for the version you are targeting your PR against.
4. Cherrypick your PRs to the earliest version the referenced Dockerfile was used to produce an image. Retitle your PR with the appropriate BZ and mention Ben Parees (@bparees) in your pull request.


Additional Info:

[1] https://github.com/moby/moby/issues/29211
[2] https://github.com/moby/moby/issues/15858

Comment 1 Gabe Montero 2020-03-04 22:15:32 UTC
I've tested cluster-samples-operator with buildah and it is ok, all the manifest files are in /manifest as expected ... there are no subdirs under the manifest dir where we copy manifest/0*

Comment 3 Jeff Cantrill 2020-03-13 15:09:23 UTC
logging-curator5 successfully built using buildah

Comment 4 Suresh Kolichala 2020-03-31 15:15:53 UTC
*** Bug 1813502 has been marked as a duplicate of this bug. ***

Comment 6 Ben Parees 2020-04-02 18:51:53 UTC
Sam, point me to your PR and i will override the BZ req.

Comment 7 Sam Batschelet 2020-04-02 20:57:57 UTC
https://github.com/openshift/cluster-etcd-operator/pull/288

Thanks Ben

Comment 9 Ben Parees 2020-06-05 18:00:45 UTC
as far as i know all components are migrated to ocp4 and building successfully, so we can close this out.

if new ones are hit, we can create new bugs.


Note You need to log in before you can comment on or make changes to this bug.