buildkit icon indicating copy to clipboard operation
buildkit copied to clipboard
verified publisher icon moby

buildkit 0.13+ breaks .dockerignore processing

Open patrikbeno opened this issue 1 year ago • 2 comments

Dockerfile:

FROM alpine
WORKDIR /work
ADD ./ ./
RUN find

.dockerignore

*
!/*/target/*.jar

this should effectively ignore .git folder

and it does:

docker run -it --rm --privileged \
  -w $PWD -v $PWD:$PWD \
  --entrypoint buildctl-daemonless.sh \
  moby/buildkit:v0.12.5-rootless \
  build --frontend dockerfile.v0 --local context=. --local dockerfile=.

however, since v0.13.0, things are different, and you may not stumble upon this unless you have inaccessbile files in .git folder:

mkdir -p .git/home -m700
docker run --rm -w $PWD -v $PWD:$PWD --entrypoint sh alpine -c 'chown root:root .git/home'
ls -la .git

now, run build with v0.12.5-rootless, it works 🆗

but v0.13.0-rootless fails ⛔

error: failed to solve: error from sender: open .git/home: permission denied

so does latest v0.15.1-rootless

patrikbeno avatar Aug 06 '24 16:08 patrikbeno

while this seems a weird use case, it may happen that you have inaccessible files anywhere in working tree.

and since you work with containers, it may easily happen

docker run -w $PWD -v $PWD:$PWD alpine sh -c 'install -d local -m700'
ls -ld local

obvious solution is to ignore such files/folders, but as documented in this issue, it may not always work

patrikbeno avatar Aug 06 '24 16:08 patrikbeno

@patrikbeno Can you find a reproducer instructions without using rootless image. I tried with docker buildx but I always get the permission denied error. Even in v0.12.5.

 # cat Dockerfile
from alpine
copy . .
 #
 # cat .dockerignore
*
!/*/target/*.jar
 #
 # ls -lha .
total 16
drwxr-xr-x    5 tonistiigi  wheel   160B Aug 23 16:45 .
drwxrwxrwt@ 307 root        wheel   9.6K Aug 23 16:45 ..
-rw-r--r--    1 tonistiigi  wheel    19B Aug 23 16:45 .dockerignore
dr--------    9 root        wheel   288B Aug 23 16:35 .git
-rw-r--r--    1 tonistiigi  wheel    21B Aug 23 16:45 Dockerfile
 #
 # docker buildx build .
[+] Building 0.1s (1/1) FINISHED                                  docker-container:bold_maxwell
 => ERROR [internal] load build definition from Dockerfile                                 0.0s
 => => transferring dockerfile: 43B                                                        0.0s
------
 > [internal] load build definition from Dockerfile:
------
WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
WARNING: current commit information was not captured by the build: failed to read current commit information with git rev-parse --is-inside-work-tree
ERROR: failed to solve: failed to read dockerfile: error from sender: failed to xattr .git: permission denied

tonistiigi avatar Aug 23 '24 13:08 tonistiigi