Reject building new images named "scratch"

[aep-sunlife]

Description

Docker should not allow images to be named scratch, as that may lead to accidents.

Docker (and Kubernetes) should warn when interacting with images that spoof the stock scratch image.

[thaJeztah]

Do you have a specific example where this causes issues?

It's indeed possible to tag an image scratch (although it would be tagged docker.io/library/scratch:latest behind the scenes), which would be able to be run as a container using docker run;

Without a custom scratch image;

docker run --rm scratch echo foo
Unable to find image 'scratch:latest' locally
docker: Error response from daemon: 'scratch' is a reserved name

After creating a fake scratch image, docker run would work;

docker image tag busybox scratch

docker image ls
REPOSITORY       TAG               IMAGE ID       CREATED        SIZE
busybox          latest            a5d0ce49aa80   4 months ago   35.9MB
scratch          latest            a5d0ce49aa80   4 months ago   35.9MB

docker run --rm scratch echo foo
foo

However, when trying to use that as base image as part of a docker build, it would fail, as docker build would treat scratch as the special case (start without a base image);

With BuildKit enabled;

echo -e 'FROM scratch\nRUN echo hello > foo.txt\n' | docker build -t fromscratch -
[+] Building 0.2s (3/3) FINISHED                                                                                      docker:desktop-linux
 => [internal] load build definition from Dockerfile                                                                                  0.0s
 => => transferring dockerfile: 76B                                                                                                   0.0s
 => [internal] load .dockerignore                                                                                                     0.0s
 => => transferring context: 2B                                                                                                       0.0s
 => ERROR [1/1] RUN echo hello > foo.txt                                                                                              0.1s
------
 > [1/1] RUN echo hello > foo.txt:
0.121 runc run failed: unable to start container process: error during container init: exec: "/bin/sh": stat /bin/sh: no such file or directory
------
Dockerfile:2
--------------------
   1 |     FROM scratch
   2 | >>> RUN echo hello > foo.txt
   3 |
   4 |
--------------------
ERROR: failed to solve: process "/bin/sh -c echo hello > foo.txt" did not complete successfully: exit code: 1

With the legacy builder;

echo -e 'FROM scratch\nRUN echo hello > foo.txt\n' | DOCKER_BUILDKIT=0 docker build -t scratchie -
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
            environment-variable.

Sending build context to Docker daemon  2.048kB
Step 1/2 : FROM scratch
 --->
Step 2/2 : RUN echo hello > foo.txt
 ---> Running in d8e3988cca1a
failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: exec: "/bin/sh": stat /bin/sh: no such file or directory: unknown