forked from GoogleContainerTools/kaniko
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Always snapshot files in COPY and RUN commands
Kaniko uses mtime (as well as file contents and other attributes) to determine if files have changed. COPY and ADD commands should _always_ update the mtime, because they actually overwrite the files. However it turns out that the mtime can lag, so kaniko would sometimes add a new layer when using COPY or ADD on a file, and sometimes would not. This leads to a non-deterministic number of layers. To fix this, we have updated the kaniko commands to be more authoritative in declaring when they have changed a file (e.g. WORKDIR will now only create the directory when it doesn't exist) and we will trust those files and _always_ add them, instead of only adding them if they haven't changed. It is possible for RUN commands to also change the filesystem, in which case kaniko has no choice but to look at the filesystem to determine what has changed. For this case we have added a call to `sync` however we still cannot guarantee that sometimes the mtime will not lag, causing the number of layers to be non-deterministic. However when I tried to cause this behaviour with the RUN command, I couldn't. This changes the snapshotting logic a bit; before this change, the last command of the last stage in a Dockerfile would always scan the whole file system and ignore the files returned by the kaniko command. Instead we will now trust those files and assume that the snapshotting performed by previous commands will be adequate. Docker itself seems to rely on the storage driver to determine when files have changed and so doesn't have to deal with these problems directly. An alternative implementation would use `inotify` to track which files have changed. However that would mean watching every file in the filesystem, and adding new watches as files are added. Not only is there a limit on the number of files that can be watched, but according to the man pages a) this can take a significant amount of time b) there is complication around when events arrive (e.g. by the time they arrive, the files may have changed) and lastly c) events can be lost, which would mean we'd run into this non-deterministic behaviour again anyway. Fixes GoogleContainerTools#251
- Loading branch information
1 parent
3a9b4fe
commit d31befb
Showing
10 changed files
with
177 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
integration/dockerfiles/Dockerfile_test_copy_same_file_many_times
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
FROM alpine@sha256:5ce5f501c457015c4b91f91a15ac69157d9b06f1a75cf9107bf2b62e0843983a | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo | ||
COPY context/foo /foo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.