Bug 1810710 - [4.4] Components using relative paths in multistage Dockerfile `COPY --from` commands may break on OCP 4
Summary: [4.4] Components using relative paths in multistage Dockerfile `COPY --from` ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Release
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 4.4.z
Assignee: Ben Parees
QA Contact: Qiaoling Tang
URL:
Whiteboard:
Depends On: 1810709
Blocks: 1810713
TreeView+ depends on / blocked
 
Reported: 2020-03-05 18:56 UTC by Adam Kaplan
Modified: 2020-05-04 11:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1810709
: 1810713 (view as bug list)
Environment:
Last Closed: 2020-05-04 11:44:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:45:26 UTC

Description Adam Kaplan 2020-03-05 18:56:59 UTC 
This is a tracking bug for components that may not be able to immediately migrate their CI to 4.x clusters due a behavior skew between imagebuilder and buildah.

Problem:

In a multistage build, it is common to use the `COPY --from=<alias|index> <src> <dest>` instruction. In imagebuilder relative paths were allowed in the <src> argument - imagebuilder would assume that <src> was relative to the the most recent working directory in the referenced image. Docker and buildah do not make this assumption [1][2].

The following repos (producing images with the referenced Dockerfiles) may be impacted:

openshift/ansible-service-broker › operator/build/olm-testing.Dockerfile
openshift/ansible-service-broker › operator/build/olm-testing.downstream.Dockerfile
openshift/certman-operator › build/Dockerfile
openshift/cloud-ingress-operator › build/Dockerfile
openshift/cluster-kube-apiserver-operator › Dockerfile-origin-release
openshift/cluster-logging-operator › Dockerfile
openshift/configmap-reload › Dockerfile
openshift/configmap-reload › Dockerfile.ocp
openshift/deadmanssnitch-operator › build/Dockerfile
openshift/kube-state-metrics › Dockerfile.ocp
openshift/managed-velero-operator › build/Dockerfile
openshift/multus-cni › webhook/Dockerfile
openshift/openshift-state-metrics › Dockerfile
openshift/pagerduty-operator › build/Dockerfile
openshift/rbac-permissions-operator › build/Dockerfile
openshift/splunk-forwarder-operator › build/Dockerfile

Solution:

Replace the relative path in <src> with an absolute path.

Note that some of these Dockerfiles use environment variables or build args to set an absolute path. If these are utilized, teams should verify that these env vars or build args are set properly in openshift/release.

Additional Info:

[1] https://docs.docker.com/engine/reference/builder/#copy
[2] https://github.com/moby/moby/issues/36643
Comment 4 Qiaoling Tang 2020-04-24 08:41:06 UTC 
Find a PR https://github.com/openshift/cluster-logging-operator/pull/411

Checked with ose-cluster-logging-operator-v4.4.0-202004222248, the fix is in the image:

$ ls /manifests/
4.4  cluster-logging.package.yaml

Move this bug to VERIFIED.
Comment 6 errata-xmlrpc 2020-05-04 11:44:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581
Note You need to log in before you can comment on or make changes to this bug.