docker build --squash can create incorrect shadowed layers

[vincentwoo]

Description

I am building images with docker build --squash. One of my image inherits from another, and tries to COPY over a file that was previously copied in the parent. It appears that sometimes when I build with --squash, this file is not overwritten in the child and has the contents set by the parent. However, if I build afterwards without squash, it correctly copies the child's file.

vwoo@ubuntu:~/shared/execute/docker$ docker build --squash -t us.gcr.io/coderpad-1189/coderpad:vb vb
Sending build context to Docker daemon  3.584kB
Step 1/5 : FROM us.gcr.io/coderpad-1189/coderpad:csharp
 ---> 2bd6abaee988
Step 2/5 : RUN rm *.csproj
 ---> Using cache
 ---> ea17424c4927
Step 3/5 : RUN su - coderpad -c "dotnet new console --name solution --output . --language VB &&   dotnet add package System.Json &&   dotnet add package NUnitLite &&   dotnet run"
 ---> Using cache
 ---> 38b6ba62c6d7
Step 4/5 : RUN rm *.vb
 ---> Using cache
 ---> 5a0d310869ef
Step 5/5 : COPY --chown=coderpad:coderpad bin /usr/local/bin
 ---> Using cache
 ---> 6bbe60888a2c
Successfully built 399a017a0656
Successfully tagged us.gcr.io/coderpad-1189/coderpad:vb
vwoo@ubuntu:~/shared/execute/docker$ docker run --entrypoint /bin/bash  --rm -it us.gcr.io/coderpad-1189/coderpad:vb
root@841b7f8ce1eb:~# cat `which startshell`
#!/bin/bash

echo "$1" | base64 --decode > Solution.cs
dotnet build --verbosity q --no-restore --output . && dotnet exec solution.dll
root@841b7f8ce1eb:~# exit
vwoo@ubuntu:~/shared/execute/docker$ docker build -t us.gcr.io/coderpad-1189/coderpad:vb vb
Sending build context to Docker daemon  3.584kB
Step 1/5 : FROM us.gcr.io/coderpad-1189/coderpad:csharp
 ---> 2bd6abaee988
Step 2/5 : RUN rm *.csproj
 ---> Using cache
 ---> ea17424c4927
Step 3/5 : RUN su - coderpad -c "dotnet new console --name solution --output . --language VB &&   dotnet add package System.Json &&   dotnet add package NUnitLite &&   dotnet run"
 ---> Using cache
 ---> 38b6ba62c6d7
Step 4/5 : RUN rm *.vb
 ---> Using cache
 ---> 5a0d310869ef
Step 5/5 : COPY --chown=coderpad:coderpad bin /usr/local/bin
 ---> Using cache
 ---> 6bbe60888a2c
Successfully built 6bbe60888a2c
Successfully tagged us.gcr.io/coderpad-1189/coderpad:vb
vwoo@ubuntu:~/shared/execute/docker$ docker run --entrypoint /bin/bash  --rm -it us.gcr.io/coderpad-1189/coderpad:vb
root@7e1636a3b5a3:~# cat `which startshell`
#!/bin/bash

echo "$1" | base64 --decode > Solution.vb
dotnet build --verbosity q --no-restore --output . && dotnet exec solution.dll
root@7e1636a3b5a3:~#

Notice that /usr/local/bin/startshell references a file with a .cs extension in the first run, but not after running a build without squash.

Steps to reproduce the issue:

I cannot reproduce this reliably. I believe it may have something to do with layer caching.

Describe the results you received:

See above.

Describe the results you expected:

See above.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:           18.06.1-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        e68fc7a
 Built:             Tue Aug 21 17:24:51 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       e68fc7a
  Built:            Tue Aug 21 17:23:15 2018
  OS/Arch:          linux/amd64
  Experimental:     true

Output of docker info:

Containers: 6
 Running: 1
 Paused: 0
 Stopped: 5
Images: 429
Server Version: 18.06.1-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: none
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-36-generic
Operating System: Ubuntu 18.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.924GiB
Name: ubuntu
ID: BAB2:FH7X:Q3WS:QGFD:EXYB:PDJX:YA6P:TCLJ:427A:5M5J:NHHA:U5GC
Docker Root Dir: /data/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 32
 Goroutines: 52
 System Time: 2018-10-24T02:21:33.142252949Z
 EventsListeners: 1
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):
Host system is ubuntu 18.04 running inside vmware fusion, locally.

[thaJeztah]

/cc @cpuguy83 @tonistiigi

[vincentwoo]

This continues to happen for me on 18.09.

[Blyschak]

@vincentwoo Hi, I have this issue too and have steps to reproduce it reliably,
It seems to me that if your copied file has the same size, premissions and modification timestamp the squashing image process doesn't see a difference between those two files.

Here's how I reproduced it:

Dockerfile.base:

FROM debian:stretch

RUN echo "HELLO" > /file

Dockerfile:

FROM base

RUN cat /file && stat /file

RUN touch -r /file /temp

RUN rm /file

RUN echo "WORLD" > /file && touch -r /temp /file && cat /file

RUN rm /temp

RUN cat /file && stat /file

root@e6b5b8dd63cb:~/test# docker build --squash --no-cache -t base -f Dockerfile.base .
Sending build context to Docker daemon  3.584kB
Step 1/2 : FROM debian:stretch
 ---> 0af60a5c6dd0
Step 2/2 : RUN echo "HELLO" > /file
doc ---> Running in 43ab2a1fd27e
ker bui Removing intermediate container 43ab2a1fd27e
 ---> de10ee42643f
 --sqSuccessfully built 45182a193cb5
Successfully tagged base:latest
root@e6b5b8dd63cb:~/test# 
root@e6b5b8dd63cb:~/test# 
root@e6b5b8dd63cb:~/test# docker build --squash --no-cache -t test .
Sending build context to Docker daemon  3.584kB
Step 1/7 : FROM base
 ---> 45182a193cb5
Step 2/7 : RUN cat /file && stat /file
 ---> Running in 9f79d25616f7
HELLO
  File: /file
  Size: 6               Blocks: 8          IO Block: 4096   regular file
Device: 93h/147d        Inode: 1327223     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-03-22 01:20:05.280968695 +0000
Modify: 2019-03-22 01:19:40.000000000 +0000
Change: 2019-03-22 01:20:03.016955800 +0000
 Birth: -
Removing intermediate container 9f79d25616f7
 ---> 79242c75ad5d
Step 3/7 : RUN touch -r /file /temp
 ---> Running in 253d0f241cd7
Removing intermediate container 253d0f241cd7
 ---> ae0f67a09f8a
Step 4/7 : RUN rm /file
 ---> Running in 83806967e810
Removing intermediate container 83806967e810
 ---> 8b1f16011810
Step 5/7 : RUN echo "WORLD" > /file && touch -r /temp /file && cat /file
 ---> Running in df87032242b7
WORLD
Removing intermediate container df87032242b7
 ---> fff8136e869c
Step 6/7 : RUN rm /temp
 ---> Running in cada22c475ce
Removing intermediate container cada22c475ce
 ---> 0332c649dd5d
Step 7/7 : RUN cat /file && stat /file
 ---> Running in 95f8f19107c5
WORLD
  File: /file
  Size: 6               Blocks: 8          IO Block: 4096   regular file
Device: 93h/147d        Inode: 1327222     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-03-22 01:21:08.505328808 +0000
Modify: 2019-03-22 01:19:40.000000000 +0000
Change: 2019-03-22 01:21:03.473300147 +0000
 Birth: -
Removing intermediate container 95f8f19107c5
 ---> f6156d621f76
Successfully built 82a462e413c3
Successfully tagged test:latest
root@e6b5b8dd63cb:~/test# docker run -it test cat /file
HELLO
root@e6b5b8dd63cb:~/test#

In resulting image the file content is "HELLO" which is not expected for me...

[vincentwoo]

Wow, amazing job reproducing the bug. I couldn't isolate the condition. @thaJeztah @cpuguy83 @tonistiigi can you take another look?

[thaJeztah]

@tonistiigi is this related to #38111 ?

[tonistiigi]

@thaJeztah Yes, this is expected with a naive diff that does not pick up changes if size and modified time does not get updated. Unfortunately containerd has decided to go naive diff only so we probably need to add some documentation about this. Not specific to squash as well, would also happen on regular layer. Worst part is that on regular layers you don't see this before you push. cc @dmcgowan