carvel-dev/imgpkg

imgpkg fails to pull images built using ko

kkavitha opened this issue · 3 comments

kkavitha commented

What steps did you take:

Build an image using ko from go source code:

  1. Set KO_DOCKER_REPO
  2. Run ko build --bare . Image will be pushed

Pull the image using imgpkg:
imgpkg pull -i <image-name> -o output-folder

What happened:

imgpkg pull -i <image-name> -o output-folder
Pulling image '<image-name>'
Extracting layer 'sha256:4f8fe8cf0965687f604adde476ea3d9f80a84cbdf1a65' (1/4)
Extracting layer 'sha256:56f50d47b14e80f3433657fca1e3b7eaec734e8ae7ddf3' (2/4)
Extracting layer 'sha256:4e90e501e39c4cbd569536f5cf6e29fea74d74f61aed94' (3/4)

imgpkg: Error: Extracting image into directory: open output-folder/var/run/ko/HEAD: permission denied

Environment:

  • imgpkg version 0.33.0
  • Docker registry used Harbor

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

joaopapereira commented

I was able to reproduce this by just executing the provided command on the imgpkg folder. It needs to use a distroless base image or else you will get

imgpkg: Error: Extracting image into directory:
  Unsupported tar entry type '3' for file 'dev/console'

Going to accept this issue.
If it is easy imgpkg should also ignore devices since they cannot be created when pulling the image.

joaopapereira commented

I did some digging around there are 2 things we can do:

  1. do the extraction in reverse order similar to https://github.com/concourse/registry-image-resource/blob/master/commands/unpack.go#L58 or https://github.com/google/go-containerregistry/blob/7268da01c46ecfb72a3ef6f44d0393f650879663/pkg/v1/mutate/mutate.go#L248
  2. ensure that we do not create devices to fix the other error in the above comment.

The implementation that is present in the registry-image-source can be used with some tweaks, or the ggcr one with more changes because it creates a new tar instead of extracting it.

alexbarbato commented

@joaopapereira / @praveenrewar - do we know if this is on the roadmap to tackle?