fix: use overlay whiteouts when extracting tar layers

pkg/overlay/pack.go

@@ -725,7 +725,9 @@ func unpackOne(l ispec.Descriptor, ociDir string, extractDir string) error {
 			return err
 		}
 
-		err = layer.UnpackLayer(extractDir, uncompressed, nil)
+		// always unpack with Overlay whiteout mode to prevent ignoring whiteouts in tar layers
+		// see test/publish.bats: "building from published images with whiteouts" for more details
+		err = layer.UnpackLayer(extractDir, uncompressed, &layer.UnpackOptions{WhiteoutMode: layer.OverlayFSWhiteout})
 		if err != nil {
 			if rmErr := os.RemoveAll(extractDir); rmErr != nil {
 				log.Errorf("Failed to remove dir '%s' after failed extraction: %v", extractDir, rmErr)

test/empty-layers.bats

@@ -77,6 +77,9 @@ EOF
 }
 
 @test "a real-world docker image with empty/filler layer" {
+    if [ "$PRIVILEGE_LEVEL" != "priv" ]; then
+        skip "requires privileges"
+    fi
     cat > stacker.yaml <<EOF
 image:
     from:

test/publish.bats

@@ -243,3 +243,35 @@ published:
 EOF
 
 }
+
+@test "building from published images with whiteouts" {
+  # This tests the case where an image is published after deleting some entries
+  # We expect that the published image can now be used to build another image,
+  # while respecting the whiteouts (due to deletion)
+  if [ -z "${REGISTRY_URL}" ]; then
+    skip "skipping test because no registry found in REGISTRY_URL env variable"
+  fi
+
+  cat > stacker.yaml <<EOF
+parent:
+  from:
+    type: docker
+    url: docker://ghcr.io/project-stacker/alpine:edge
+  run: |
+    rm -rf /etc/apk/repositories
+EOF
+  stacker build
+  stacker publish --skip-tls --url docker://${REGISTRY_URL} --tag latest
+  stacker clean
+
+  cat > stacker.yaml <<EOF
+child:
+  from:
+    type: docker
+    url: docker://${REGISTRY_URL}/parent:latest
+    insecure: true
+  run: |
+    [ ! -f /etc/apk/repositories ]
+EOF
+  stacker build
+}