When creating a base container, Docker does not unpack a local tarball as expected when using the ADD directive if the tarball contains files with capabilities referenced in xattr, but instead includes the tarball whole in the container.

I have created two tarballs that demonstrate this behavior, located at http://people.centos.org/jperrin/tars/

The bad behavior can be seen when using those two tarballs with a very simple Dockerfile...

FROM scratch
MAINTAINER me
ADD replace-with-tarball-name /
CMD ["/bin/bash"]

Both builds will complete, however one will be roughly 197MB in size, while the other will be 42MB or so. If you examine the contents of the smaller container via docker export | tar -t you'll see that the tarball is included rather than unpacked.

This breakage appears to be the result of the file capabilities on /usr/bin/ping and a few other binaries inside the tarball.

The tarball that unpacks successfully was created with tar -C /mnt/ -Jcf centos-img.tar.xz . which does not preserve xattr info by default.

The tarball that fails to be properly unpacked via the ADD was created with tar --xattrs -C /mnt/ -Jcf centos-img.tar.xz .