Bug 1821670 - [4.3] Logging Components using relative paths in multistage Dockerfile `COPY --from` commands may break on OCP 4
Summary: [4.3] Logging Components using relative paths in multistage Dockerfile `COPY ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 4.3.z
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 4.3.z
Assignee: Jeff Cantrill
QA Contact: Anping Li
URL:
Whiteboard:
Depends On: 1810713
Blocks: 1810715 1825275
TreeView+ depends on / blocked
 
Reported: 2020-04-07 11:58 UTC by Jeff Cantrill
Modified: 2020-05-20 13:48 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1810713
: 1825275 (view as bug list)
Environment:
Last Closed: 2020-05-20 13:47:53 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-logging-operator pull 441 0 None closed [release-4.3] Bug 1821670: Make useable by buildah 2020-06-24 21:18:46 UTC
Github openshift origin-aggregated-logging pull 1885 0 None closed Bug 1821670: Make images buildah compatible 2020-06-24 21:18:46 UTC
Red Hat Product Errata RHBA-2020:2129 0 None None None 2020-05-20 13:48:08 UTC

Description Jeff Cantrill 2020-04-07 11:58:04 UTC
+++ This bug was initially created as a clone of Bug #1810713 +++

This is a tracking bug for components that may not be able to immediately migrate their CI to 4.x clusters due a behavior skew between imagebuilder and buildah.

Problem:

In a multistage build, it is common to use the `COPY --from=<alias|index> <src> <dest>` instruction. In imagebuilder relative paths were allowed in the <src> argument - imagebuilder would assume that <src> was relative to the the most recent working directory in the referenced image. Docker and buildah do not make this assumption [1][2].

The following repos (producing images with the referenced Dockerfiles) may be impacted:

openshift/ansible-service-broker › operator/build/olm-testing.Dockerfile
openshift/ansible-service-broker › operator/build/olm-testing.downstream.Dockerfile
openshift/certman-operator › build/Dockerfile
openshift/cloud-ingress-operator › build/Dockerfile
openshift/cluster-kube-apiserver-operator › Dockerfile-origin-release
openshift/cluster-logging-operator › Dockerfile
openshift/configmap-reload › Dockerfile
openshift/configmap-reload › Dockerfile.ocp
openshift/deadmanssnitch-operator › build/Dockerfile
openshift/kube-state-metrics › Dockerfile.ocp
openshift/managed-velero-operator › build/Dockerfile
openshift/multus-cni › webhook/Dockerfile
openshift/openshift-state-metrics › Dockerfile
openshift/pagerduty-operator › build/Dockerfile
openshift/rbac-permissions-operator › build/Dockerfile
openshift/splunk-forwarder-operator › build/Dockerfile

Solution:

Replace the relative path in <src> with an absolute path.

Note that some of these Dockerfiles use environment variables or build args to set an absolute path. If these are utilized, teams should verify that these env vars or build args are set properly in openshift/release.

Additional Info:

[1] https://docs.docker.com/engine/reference/builder/#copy
[2] https://github.com/moby/moby/issues/36643

Comment 4 Anping Li 2020-04-20 00:59:50 UTC
Move to verified as the code merged.

Comment 10 errata-xmlrpc 2020-05-20 13:47:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2129


Note You need to log in before you can comment on or make changes to this bug.