kaniko: Our images now fail to run with OCI error

Actual behavior The new images return Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused “exec: "/usr/bin/java": stat /usr/bin/java: no such file or directory”: unknown

Expected behavior Previously it run without issue. No OCI runtime

To Reproduce

Build image with Kaniko
Try to run image docker run Additional Information

FROM openjdk:8-jre-slim
 
# Expose ports to enable running the service
# Ports should be standardized to make it easier to debug
# Exposing two services in the same port can create conflicts
 
ENV PORT 8080
EXPOSE 8080
 
# List of ARGS input from Kaniko Build
ARG IMAGE_DATE
ARG VCS_REVISION
ARG VCS_SEMVER
ARG PKG_WORKDIR
 
# Labeling based on https://github.com/opencontainers/image-spec/blob/master/annotations.md
LABEL org.opencontainers.image.created="${IMAGE_DATE}"              \
      org.opencontainers.image.revision="${VCS_REVISION}"           \
      org.opencontainers.image.version="${VCS_SEMVER}"              \
      org.opencontainers.image.title="mytitle"                      \
      org.opencontainers.image.description="mydescription"          \
      org.opencontainers.image.authors="myauthors"                  \
      org.opencontainers.image.vendor="myvendor"                    \
      org.opencontainers.image.url="myurl"                          \
      org.opencontainers.image.documentation="mydocumentationlink"  \
      org.opencontainers.image.source="mygitrepourl"
 
# Copy of distribution/target folder artifacts
# In case additional Artifacts are required
 
# All containers should run in least privileged mode, meaning not ROOT.
# NOTE: On OpenShift there is a warning when you try to run as ROOT
RUN addgroup -g 1001 -S cc && \
    adduser -u 1001 -S -G cc cc && \
    chown -R 1001:0 /home/cc && \
    chmod -R g=u /home/cc
     
COPY --chown=1001:0 ${PKG_WORKDIR}/target/*.jar /home/cc/service.jar
 
USER 1001
# Command to initialize the service
CMD ["/usr/bin/java", "-jar", "home/cc/service.jar"]

About this issue

Original URL
State: open
Created 4 years ago
Reactions: 1
Comments: 20 (8 by maintainers)

Commits related to this issue

pin Kaniko version to v0.16.0 Temporary fix for CI. Correspondent Kaniko issue: https://github.com/GoogleContainerTools/kaniko/issues/1024 — committed to kwant-project/kwant by slavoutich 4 years ago
pin Kaniko version to v0.16.0 Kaniko issue https://github.com/GoogleContainerTools/kaniko/issues/1024 — committed to quantum-tinkerer/research-docker by slavoutich 4 years ago

Most upvoted comments

We’re seeing something similar trying to use kaniko to build docker images as part of a gitlab-runner pipeline:

root@dev:~# docker --version
Docker version 20.10.0, build 7287ab3

root@dev:~# gitlab-runner --version
Version:      12.9.0
Git revision: 4c96e5ad
Git branch:   12-9-stable
GO version:   go1.13.8
Built:        2020-03-20T13:01:56+0000
OS/Arch:      linux/amd64

This is a fragment from our gitlab-ci.yml:

build-dockerhub:
  stage: build
  image:
    # TODO: use latest instead of debug once we get to the bottom of issue using latest tag
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  variables:
    DOCKER_HUB_AUTH: $DOCKER_HUB_AUTH
  script:
    - if [ "$CI_COMMIT_REF_NAME" == "master" ]; then IMAGE_TAG="latest"; else IMAGE_TAG=$CI_COMMIT_REF_SLUG; fi
    - echo $CI_COMMIT_REF_NAME > $CI_PROJECT_DIR/src/CI_COMMIT_REF_NAME
    - echo $CI_COMMIT_SHA > $CI_PROJECT_DIR/src/CI_COMMIT_SHA
    - echo $IMAGE_TAG > $CI_PROJECT_DIR/src/IMAGE_TAG
    - echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"auth\":\"$DOCKER_HUB_AUTH\"}}}" > /kaniko/.docker/config.json
    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/docker/Dockerfile --destination flagsmith/flagsmith-api:$IMAGE_TAG

For some reason, using debug in place of latest fixes the issue.

dabeeeenster on Dec 16, 2020

Bad image creation with OCI error continues with v0.17.1.

webmutation on Feb 6, 2020

@liemdo PR in progress. #1025

Patch fix coming soon.

tejal29 on Feb 4, 2020

We get a different error and cannot build the image in Google Cloud Build error building image: error building stage: failed to get filesystem from image: error removing var/run to make way for new symlink: unlinkat /var/run/docker.sock: device or resource busy.

liemdo on Feb 4, 2020