Fix copying root

go.mod

@@ -39,7 +39,7 @@ require (
 	github.com/opencontainers/runtime-spec v1.0.1 // indirect
 	github.com/opencontainers/selinux v1.0.0-rc1 // indirect
 	github.com/opentracing/opentracing-go v1.0.2 // indirect
-	github.com/otiai10/copy v1.0.2
+	github.com/otiai10/copy v1.6.0
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.6.0
 	github.com/spf13/afero v1.2.2

go.sum

@@ -569,10 +569,14 @@ github.com/opentracing/opentracing-go v1.0.2 h1:3jA2P6O1F9UOrWVpwrIo17pu01KWvNWg
 github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/otiai10/copy v1.0.2 h1:DDNipYy6RkIkjMwy+AWzgKiNTyj2RUI9yEMeETEpVyc=
 github.com/otiai10/copy v1.0.2/go.mod h1:c7RpqBkwMom4bYTSkLSym4VSJz/XtncWRAj/J4PEIMY=
+github.com/otiai10/copy v1.6.0 h1:IinKAryFFuPONZ7cm6T6E2QX/vcJwSnlaA5lfoaXIiQ=
+github.com/otiai10/copy v1.6.0/go.mod h1:XWfuS3CrI0R6IE0FbgHsEazaXO8G0LpMp9o8tos0x4E=
 github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95 h1:+OLn68pqasWca0z5ryit9KGfp3sUsW4Lqg32iRMJyzs=
 github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
+github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs=
 github.com/otiai10/mint v1.3.0 h1:Ady6MKVezQwHBkGzLFbrsywyp09Ah7rkmfjV3Bcr5uc=
 github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo=
+github.com/otiai10/mint v1.3.2/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=

integration/dockerfiles-with-context/issue-960/Dockerfile

@@ -0,0 +1,39 @@
+# Copyright 2021 Google, Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM alpine:3.14 as rootfs
+
+FROM alpine:3.14
+
+RUN mkdir -p /sysroot
+COPY --from=rootfs / /sysroot/
+
+# Workaround: we must remove some files to pass the integration test.
+# Unlike Docker, kaniko has no access to the original layer data from the
+# building context and can't preserve them in their original form.
+RUN rm -f \
+      /sysroot/etc/hostname \
+      /sysroot/etc/hosts \
+      /sysroot/etc/mtab \
+      /sysroot/etc/nsswitch.conf
+
+# Additional check for preserved dirs. They must persist in image but be empty.
+RUN printf "%s\n" \
+      "/sysroot/dev/:" \
+      "" \
+      "/sysroot/sys/:" \
+      > /tmp/expected \
+ && ls -1 /sysroot/dev/ /sysroot/sys/ \
+      > /tmp/got \
+ && diff -u /tmp/got /tmp/expected

pkg/util/fs_util.go

@@ -66,6 +66,14 @@ var defaultIgnoreList = []IgnoreListEntry{
 		Path:            "/etc/mtab",
 		PrefixMatchOnly: false,
 	},
+	{
+		Path:            "/.dockerenv",
+		PrefixMatchOnly: false,
+	},
+	{
+		Path:            "/.dockerinit",
+		PrefixMatchOnly: false,
+	},
 	{
 		// we ingore /tmp/apt-key-gpghome, since the apt keys are added temporarily in this directory.
 		// from the base image
@@ -76,6 +84,10 @@ var defaultIgnoreList = []IgnoreListEntry{
 
 var ignorelist = append([]IgnoreListEntry{}, defaultIgnoreList...)
 
+// these paths should be always preserved in the image
+// adding them to ignore list will remove just nested paths
+var preservelist = []string{"/dev", "/proc", "/run", "/sys", "/var/run"}
+
 var volumes = []string{}
 
 type FileContext struct {
@@ -294,7 +306,7 @@ func ExtractFile(dest string, hdr *tar.Header, tr io.Reader) error {
 		return err
 	}
 
-	if CheckIgnoreList(abs) && !checkIgnoreListRoot(dest) {
+	if CheckIgnoreList(abs) && !checkIgnoreListRoot(dest) && !CheckPreserveList(dest) {
 		logrus.Debugf("Not adding %s because it is ignored", path)
 		return nil
 	}
@@ -430,6 +442,16 @@ func checkIgnoreListRoot(root string) bool {
 	return CheckIgnoreList(root)
 }
 
+// Check if path should be always preserved
+func CheckPreserveList(path string) bool {
+	for _, p := range preservelist {
+		if path == p {
+			return true
+		}
+	}
+	return false
+}
+
 // Get ignorelist from roots of mounted files
 // Each line of /proc/self/mountinfo is in the form:
 // 36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue
@@ -901,7 +923,16 @@ func CopyFileOrSymlink(src string, destDir string, root string) error {
 		}
 		return os.Symlink(link, destFile)
 	}
-	err := otiai10Cpy.Copy(src, destFile)
+	opt := otiai10Cpy.Options{
+		Skip: func(path string) (bool, error) {
+			if CheckIgnoreList(path) && !CheckPreserveList(path) {
+				logrus.Debugf("Not copying %s, as it's ignored", path)
+				return true, nil
+			}
+			return false, nil
+		},
+	}
+	err := otiai10Cpy.Copy(src, destFile, opt)
 	if err != nil {
 		return errors.Wrap(err, "copying file")
 	}

pkg/util/fs_util_test.go

@@ -66,6 +66,8 @@ func Test_DetectFilesystemSkiplist(t *testing.T) {
 		{"/dev", false},
 		{"/dev/pts", false},
 		{"/sys", false},
+		{"/.dockerenv", false},
+		{"/.dockerinit", false},
 		{"/etc/mtab", false},
 		{"/tmp/apt-key-gpghome", true},
 	}
@@ -1513,6 +1515,14 @@ func TestInitIgnoreList(t *testing.T) {
 			Path:            "/etc/mtab",
 			PrefixMatchOnly: false,
 		},
+		{
+			Path:            "/.dockerenv",
+			PrefixMatchOnly: false,
+		},
+		{
+			Path:            "/.dockerinit",
+			PrefixMatchOnly: false,
+		},
 		{
 			Path:            "/tmp/apt-key-gpghome",
 			PrefixMatchOnly: true,