"COPY . ." command in Dockerfile does not copy all contents when using Kaniko.

[iuriemuradu]

Actual behavior
When utilizing the "COPY . ." command in my Dockerfile, Kaniko does not seem to copy all the contents of the repository into the container.

Expected behavior
All contents of the repository should be copied into the container when using the "COPY . ." command.

To Reproduce
Steps to reproduce the behavior:

1. Use a Dockerfile with the command "COPY . ."
2. Build the image using Kaniko

Dockerfile

FROM python:3.8-slim as builder
RUN mkdir src
RUN mkdir src/results
COPY src/ /src
WORKDIR /src
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
RUN apt-get update && \
    apt-get install -y --no-install-recommends build-essential vim curl

COPY . . <<-- HERE

RUN pip wheel --no-cache-dir --no-deps --wheel-dir /src/wheels -r requirements.txt
# final stage
FROM python:3.8-slim as proc_stage
ENV PYTHONPATH "${PYTHONPATH}:/"
ENV CONF_SRC_DIR /mnt
ENV CONF_DST_DIR /src
COPY --from=builder /src/wheels /wheels
COPY --from=builder /src/requirements.txt .
ADD files/run.sh /run.sh
RUN pip install --no-cache /wheels/*

COPY . . <<-- HERE

RUN ls -la
WORKDIR /
HEALTHCHECK CMD curl --fail http://localhost:8501/_stcore/health
ENTRYPOINT [ "bash","run.sh" ]

Kaniko Image
gcr.io/kaniko-project/executor:v1.14.0

[aaron-prindle]

Thank you for flagging this issue @iuriemuradu. Kaniko by default has a set of "denylist" root fs paths that kaniko ignores when snapshotting the filesystem. This flag is an example of this:
https://github.com/GoogleContainerTools/kaniko#flag---ignore-var-run

The flag explains that by default, kaniko ignores changes in /var/run when doing snapshot operations (changes made via COPY, ADD, etc.)

Currently users can tweak the denylist using the flag options available. This might be a potential workaround assuming the missing files are in one of the dirs the flags support (namely /var/run):
https://github.com/GoogleContainerTools/kaniko#flag---ignore-var-run
https://github.com/GoogleContainerTools/kaniko#flag---ignore-path

Related code for this denylist is here:
https://github.com/GoogleContainerTools/kaniko/blob/main/pkg/util/fs_util.go#L61-L78
https://github.com/GoogleContainerTools/kaniko/blob/main/pkg/util/fs_util.go#L1032-L1046
https://github.com/GoogleContainerTools/kaniko/blob/main/pkg/util/fs_util.go#L449-L490

and is described as:

// InitIgnoreList will initialize the ignore list using:
// - defaultIgnoreList
// - mounted paths via DetectFilesystemIgnoreList()

Running kaniko in a docker container via:

    docker run \
        -v "$HOME"/.config/gcloud:/root/.config/gcloud \
        -v "$context":/workspace \
        gcr.io/kaniko-project/executor:latest \
        --dockerfile "${dockerfile}" --destination "${destination}" --context dir:///workspace/ \
        --cache="${cache}"

The denylist looks something like the below:
/kaniko
/etc/mtab
/tmp/apt-key-gpghome
/var/run
/proc
/dev
/dev/pts
/sys
/sys/fs/cgroup
/dev/mqueue
/dev/shm
/workspace
/etc/resolv.conf
/etc/hostname
/etc/hosts
/root/.config/gcloud
/proc/bus
/proc/fs
/proc/irq
/proc/sys
/proc/sysrq-trigger
/proc/acpi
/proc/kcore
/proc/keys
/proc/timer_list
/sys/firmware

[aaron-prindle]

From the issue here I believe the actionable pieces here include:

• better documenting kaniko's denylist and cite this is a point of possible friction in documentation
• leave this issue open to track potential fixes here

[iuriemuradu]

Thank you so much @aaron-prindle for your answer,
Nevertheless I am still not sure how this can help me use COPY . . as intended, or maybe at this phase of development it is not even possible.
I would appreciate if you could bring more light on that particular issue that I have posted.
Thank you so much for your effort.

[iuriemuradu]

Actually I tried --ignore-path include path that I need to be copied and still the files are not preserved