Kaniko remove file copied from an other image if a link (sym or hard) is created on this or a file copied in folder

[emeric-martineau]

Actual behavior
When we copy file from another image:

COPY --from=kaniko /kaniko/executor /kaniko/executor

and create a link (sym or hard) on this:

RUN  ln -s /kaniko/executor /usr/local/bin/kaniko

the folder /kaniko is removed.

Same behavior if create a file in /kaniko folder:

RUN touch /kaniko/empty

Expected behavior
Buildkit compatibility. With buildkit link exists and /kaniko/ is keep.

To Reproduce
Create a image with this Dockerfile:

FROM gcr.io/kaniko-project/executor:v1.9.1 as kaniko

FROM ubuntu:22.04 as target

ENV TERM xterm
ENV DEBIAN_FRONTEND noninteractive

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

# Initial required packages
RUN \
  apt-get update && \
  apt-get install -y --no-install-recommends \
    ca-certificates \
    apt-utils \
    bash \
    curl \
    unzip \
    git \
    tzdata \
    gettext-base 

COPY --from=kaniko /kaniko/executor /kaniko/executor
COPY --from=kaniko /kaniko/docker-credential-gcr /kaniko/docker-credential-gcr
COPY --from=kaniko /kaniko/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=kaniko /kaniko/docker-credential-acr-env /kaniko/docker-credential-acr-env
COPY --from=kaniko /kaniko/ssl/certs/ /kaniko/ssl/certs/
COPY --from=kaniko /kaniko/.docker /kaniko/.docker
COPY --from=kaniko /etc/nsswitch.conf /etc/nsswitch.conf

ENV SSL_CERT_DIR=/kaniko/ssl/certs
ENV DOCKER_CONFIG /kaniko/.docker/
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json

RUN  ln -s /kaniko/executor /usr/local/bin/kaniko

Error happend when we use docker image gcr.io/kaniko-project/executor:v1.9.1

Additional Information
Workaround:

FROM gcr.io/kaniko-project/executor:v1.9.1 as kaniko

FROM ubuntu:22.04 as target

ENV TERM xterm
ENV DEBIAN_FRONTEND noninteractive

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

COPY --from=kaniko /kaniko/executor /kaniko/executor
COPY --from=kaniko /kaniko/docker-credential-gcr /kaniko/docker-credential-gcr
COPY --from=kaniko /kaniko/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=kaniko /kaniko/docker-credential-acr-env /kaniko/docker-credential-acr-env
COPY --from=kaniko /kaniko/ssl/certs/ /kaniko/ssl/certs/
COPY --from=kaniko /kaniko/.docker /kaniko/.docker
COPY --from=kaniko /etc/nsswitch.conf /etc/nsswitch.conf

ENV SSL_CERT_DIR=/kaniko/ssl/certs
ENV DOCKER_CONFIG /kaniko/.docker/
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json

#--------------------------------------------------------------------------------------------------
# Just move here, now, it's working 
#--------------------------------------------------------------------------------------------------
# Initial required packages
RUN \
  apt-get update && \
  apt-get install -y --no-install-recommends \
    ca-certificates \
    apt-utils \
    bash \
    curl \
    unzip \
    git \
    tzdata \
    gettext-base 

RUN  ln -s /kaniko/executor /usr/local/bin/kaniko

Triage Notes for the Maintainers

Description	Yes/No
Please check if this a new feature you are proposing	no
Please check if the build works in docker but not in kaniko	yes
Please check if this error is seen when you use --cache flag	yes
Please check if your dockerfile is a multistage dockerfile	yes

[emeric-martineau]

I found another case:

FROM gcr.io/kaniko-project/executor:v1.9.1 as kaniko

FROM ubuntu:22.04 as target

ENV TERM xterm
ENV DEBIAN_FRONTEND noninteractive

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

RUN mkdir -p /kaniko/

COPY --from=kaniko /kaniko/executor /kaniko/executor
COPY --from=kaniko /kaniko/docker-credential-gcr /kaniko/docker-credential-gcr
COPY --from=kaniko /kaniko/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=kaniko /kaniko/docker-credential-acr-env /kaniko/docker-credential-acr-env
COPY --from=kaniko /kaniko/ssl/certs/ /kaniko/ssl/certs/
COPY --from=kaniko /kaniko/.docker /kaniko/.docker
COPY --from=kaniko /etc/nsswitch.conf /etc/nsswitch.conf

ENV SSL_CERT_DIR=/kaniko/ssl/certs
ENV DOCKER_CONFIG /kaniko/.docker/
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json

RUN echo "ddd" > /toto

if I remove RUN mkdir -p /kaniko/ I don't have issue.

No issue if I use Docker to build