Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1810710

Summary:	[4.4] Components using relative paths in multistage Dockerfile `COPY --from` commands may break on OCP 4
Product:	OpenShift Container Platform	Reporter:	Adam Kaplan <adam.kaplan>
Component:	Release	Assignee:	Ben Parees <bparees>
Status:	CLOSED ERRATA	QA Contact:	Qiaoling Tang <qitang>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	4.4	CC:	aos-bugs, bparees, erich, jokerman, wsun
Target Milestone:	---
Target Release:	4.4.z
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:	1810709
Clones:	1810713 (view as bug list)		Environment:
Last Closed:	2020-05-04 11:44:56 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1810709
Bug Blocks:	1810713

Description Adam Kaplan 2020-03-05 18:56:59 UTC

This is a tracking bug for components that may not be able to immediately migrate their CI to 4.x clusters due a behavior skew between imagebuilder and buildah.

Problem:

In a multistage build, it is common to use the `COPY --from=<alias|index> <src> <dest>` instruction. In imagebuilder relative paths were allowed in the <src> argument - imagebuilder would assume that <src> was relative to the the most recent working directory in the referenced image. Docker and buildah do not make this assumption [1][2].

The following repos (producing images with the referenced Dockerfiles) may be impacted:

openshift/ansible-service-broker › operator/build/olm-testing.Dockerfile
openshift/ansible-service-broker › operator/build/olm-testing.downstream.Dockerfile
openshift/certman-operator › build/Dockerfile
openshift/cloud-ingress-operator › build/Dockerfile
openshift/cluster-kube-apiserver-operator › Dockerfile-origin-release
openshift/cluster-logging-operator › Dockerfile
openshift/configmap-reload › Dockerfile
openshift/configmap-reload › Dockerfile.ocp
openshift/deadmanssnitch-operator › build/Dockerfile
openshift/kube-state-metrics › Dockerfile.ocp
openshift/managed-velero-operator › build/Dockerfile
openshift/multus-cni › webhook/Dockerfile
openshift/openshift-state-metrics › Dockerfile
openshift/pagerduty-operator › build/Dockerfile
openshift/rbac-permissions-operator › build/Dockerfile
openshift/splunk-forwarder-operator › build/Dockerfile

Solution:

Replace the relative path in <src> with an absolute path.

Note that some of these Dockerfiles use environment variables or build args to set an absolute path. If these are utilized, teams should verify that these env vars or build args are set properly in openshift/release.

Additional Info:

[1] https://docs.docker.com/engine/reference/builder/#copy
[2] https://github.com/moby/moby/issues/36643

Comment 4 Qiaoling Tang 2020-04-24 08:41:06 UTC

Find a PR https://github.com/openshift/cluster-logging-operator/pull/411

Checked with ose-cluster-logging-operator-v4.4.0-202004222248, the fix is in the image:

$ ls /manifests/
4.4  cluster-logging.package.yaml

Move this bug to VERIFIED.

Comment 6 errata-xmlrpc 2020-05-04 11:44:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581