Proposal: Allow "COPY --from" to skip files from base image

[thaJeztah]

• relates to Remove squash from build #34565

Multi stage builds are a better alternative to the experimental --squash option for most use cases. However, there is one use-case that's not addressed by this feature (see #34565 (comment)). Some silly examples below are just to illustrate the issue.

Copying all files from a build-stage to the final image (from scratch) produces a single-layer image:

FROM alpine AS build-stage
RUN apk add --no-cache man
RUN apk add --no-cache nginx
RUN apk del --no-cache man


FROM scratch
COPY --from=build-stage / /

While works correctly if the final image is built from scratch (and may be the desired result), the resulting image is fully squashed, including the base-image, and therefore does not take advantage of sharing the base image layer with other images.

When attempting to use the same base-image for both stages;

FROM alpine AS build-stage
RUN apk add --no-cache man
RUN apk add --no-cache nginx
RUN apk del --no-cache man


FROM alpine
COPY --from=build-stage / /

The entire base image is included twice in the final image (once as the "base" layer, and once as part of the squashed / copied layer):

REPOSITORY    TAG         IMAGE ID            CREATED             SIZE
squashed2     latest      ad22751e06e6        About an hour ago   9.28MB
squashed      latest      94080bdf30e4        About an hour ago   5.31MB

Ideally the builder would automatically skip files that are already present in the base image (based on their checksum/metadata). Doing so would resolve cases where the same base image is used for both stages.

In many cases this won't be enough though; the build-stage could use a different base image (containing build-tools), and only artifacts produced by the build-stage itself should be copied; for example in the following dockerfile:

FROM buildpack-deps:stretch AS build-stage
COPY . /usr/src/
WORKDIR /usr/src/
RUN gcc -g .......


FROM debian:stretch
COPY --from build-stage / /

While it is best practice to be specific what to copy from a stage (i.e., only the artifacts you need), however, keeping track of exact paths and files to copy can be cumbersome, and error-prone (for example, determining which files are installed by an apt-get install foo may not be known by the user). Artifacts can also be distributed over many (sub)directories, some of those containing files that were inherited from the base image.

Proposal: add option to skip files from the base image

The COPY command should have an option to ignore any file that was already present in the base image to address the issues mentioned above. I don't have a proper name for this option yet, so just using --skip-base as a placeholder. Example uses would look something like:

Copy every file that was added/modified in build-stage to the final image:

FROM alpine AS build-stage
RUN apk add --no-cache nginx

FROM alpine
COPY --skip-base --from=build-stage / /

Copy every file _inside /usr that was created in build-stage to the final image

FROM buildpack-deps:stretch AS build-stage
COPY . /usr/src/
WORKDIR /usr/src/
RUN gcc -g .......


FROM debian:stretch
COPY  --skip-base --from=build-stage /usr /usr

/cc @ijc @dnephin @tonistiigi PTAL

[ijc]

#34565 (comment) also mentions that COPY won't remove files which seems like a behaviour worth preserving.

Perhaps this is better modelled as reapplying layers 1..M onto a different base than a "copy" as such (so kind of like a git rebase -i with fold used).

It might then also make sense to support arbitrary N..M rather than making the base special?

[thaJeztah]

I'm a bit hesitant to add the "layer" concept into the builder. While it's a known concept, layers may not stay around (thinking of snapshots in containerd 1.0). Limiting this to "only copy modifications I made in a build-stage" feels more generic than "copy these layers".

The "remove" issue is indeed interesting (i.e. a build-stage removed files from the base image).

$ docker build --squash --tag removy -<<EOF
FROM nginx:alpine
RUN rm /usr/sbin/nginx
EOF

$ docker run --rm removy ls -la /usr/sbin/nginx
ls: /usr/sbin/nginx: No such file or directory

[ijc]

I'm a bit hesitant to add the "layer" concept into the builder.

Call it "step" then, conceptually you are reapplying the semantic filesystem changes made by a sequence of Dockerfile directives to a new base, how those are normally stored (layers, snapshots, whatever) is just an implementation detail really.

[davetapley]

The introduction of this warning might increase demand for the 'squash' functionality of multi-stage builds:

[WARNING]: Empty continuation lines will become errors in a future release.

As identified on this Stackoverflow question, it make comments in multi-line RUN commands illegal.
A major use case of that pattern is to achieve layer squashing.

[thaJeztah]

@dukedave see #35004

[tonistiigi]

This behavior depends on the storage driver and if storage driver is able to detect duplicates or not. For example, if you try this with overlay (and I assume btrfs, devicemapper) it already works correctly and file like

from alpine as builder
run apk add --no-cache man
run apk add --no-cache git

from alpine
copy --from=builder / /

creates 2 images with identical size but a different number of layers.

So there is no need for the extra flag. If we like this behavior either more drivers should do it or builder should enforce duplicate check(adds a performance penalty).

[tonistiigi]

Containerd only supports the "naive" differ that doesn't have this issue (but has some other downsides) so when it is integrated the files should at least be removed from the final images.

As the main issue is the COPY command in Dockerfile, and even more precisely the multi-stage COPY case, we could just add the duplicate detection to the copier directly. So when files are copied and a destination file exists with same metadata we do a content-based check for the destination path to check if it is identical. If it is, we never open the destination file for writing and therefore there is no copy-up on the driver. This is even better than what naive differ does as the files are not even duplicated in the local snapshots. If anyone wants to attempt this I would recommend attempting it for BuildKit first. The copy operation in BuildKit is performed by the Copy method in https://godoc.org/github.com/tonistiigi/fsutil/copy that would need to detect these duplicates now.

the build-stage could use a different base image (containing build-tools),

In this cases, if we would skip some arbitrary files from original layers it is very likely that the final image will be subtly broken, eg segfaulting on runtime because of missing libraries etc. This is opposite to the promises of containers so we want to avoid it. There are good ways of containing your artifacts in build stages for most cases.