[BUG] docker-compose fails to build when selinux is enabled

[eledu81]

Description

Related to issue #9405

Steps To Reproduce

1. Create a Dockerfile

FROM alpine:3.17.1
RUN set -x && apk add -u bash

2. Create compose.yml

services:
  test:
    image: test
    build: .

3. Run docker-compose create

[+] Running 0/1
 ⠿ test Warning                                                                                                                                  2.7s
[+] Building 1.7s (5/5) FINISHED
 => [internal] load build definition from Dockerfile                                                                                             0.0s
 => => transferring dockerfile: 90B                                                                                                              0.0s
 => [internal] load .dockerignore                                                                                                                0.0s
 => => transferring context: 2B                                                                                                                  0.0s
 => [internal] load metadata for docker.io/library/alpine:3.17.1                                                                                 0.9s
 => CACHED [1/2] FROM docker.io/library/alpine:3.17.1@sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a                    0.0s
 => ERROR [2/2] RUN set -x && apk add -u bash                                                                                                    0.6s
------
 > [2/2] RUN set -x && apk add -u bash:
#0 0.602 + apk add -u bash
#0 0.628 ERROR: Unable to lock database: Permission denied
#0 0.628 ERROR: Failed to open apk database: Permission denied
------
failed to solve: executor failed running [/bin/sh -c set -x && apk add -u bash]: exit code: 99

Compose Version

Docker Compose version v2.15.1

Docker Environment

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 20.10.20
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: journald
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: /usr/libexec/docker/docker-init
 containerd version:
 runc version:
 init version:
 Security Options:
  seccomp
   Profile: default
  selinux
  cgroupns
 Kernel Version: 6.0.15-300.fc37.x86_64
 Operating System: Fedora CoreOS 37.20221225.3.0
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.825GiB
 Name: localhost.localdomain
 ID: ENB4:GTWH:IX6N:OWLX:3DIJ:VKBZ:WOV5:N4XZ:GOJD:BIF5:AUJF:DPNJ
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: true

Anything else?

• Building the image with docker build doesn't fail
• Disabling SELinux in the OS fixes the problem

[ndeloof]

does docker buildx build successfully build this Dockerfile with the same SELinux-enabled Docker engine?

[eledu81]

does docker buildx build successfully build this Dockerfile with the same SELinux-enabled Docker engine?

buildx also fails

[+] Building 5.2s (5/5) FINISHED
 => [internal] load build definition from Dockerfile                                                                                   0.1s
 => => transferring dockerfile: 145B                                                                                                   0.0s
 => [internal] load .dockerignore                                                                                                      0.0s
 => => transferring context: 2B                                                                                                        0.0s
 => [internal] load metadata for docker.io/library/alpine:3.17.1                                                                       3.1s
 => [1/2] FROM docker.io/library/alpine:3.17.1@sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a                 1.1s
 => => resolve docker.io/library/alpine:3.17.1@sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a                 0.0s
 => => sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a 1.64kB / 1.64kB                                         0.0s
 => => sha256:93d5a28ff72d288d69b5997b8ba47396d2cbb62a72b5d87cd3351094b5d578a0 528B / 528B                                             0.0s
 => => sha256:042a816809aac8d0f7d7cacac7965782ee2ecac3f21bcf9f24b1de1a7387b769 1.47kB / 1.47kB                                         0.0s
 => => sha256:8921db27df2831fa6eaa85321205a2470c669b855f3ec95d5a3c2b46de0442c9 3.37MB / 3.37MB                                         0.6s
 => => extracting sha256:8921db27df2831fa6eaa85321205a2470c669b855f3ec95d5a3c2b46de0442c9                                              0.3s
 => ERROR [2/2] RUN set -x && apk add -u bash                                                                                          0.7s
------
 > [2/2] RUN set -x && apk add -u bash:
#0 0.632 + apk add -u bash
#0 0.646 ERROR: Unable to lock database: Permission denied
#0 0.648 ERROR: Failed to open apk database: Permission denied
------
ERROR: failed to solve: executor failed running [/bin/sh -c set -x && apk add -u bash]: exit code: 99

[ndeloof]

ok, then this issue should be reported or transferred to docker/buildx

[laurazard]

@eledu81 In the meantime, you can use the DOCKER_BUILDKIT environment variable with Compose to disable BuildKit, such as DOCKER_BUILDKIT=0 docker compose build/create/up/...

[eledu81]

ok, then this issue should be reported or transferred to docker/buildx

Reported to buildx. Thanks