Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

COPY cache not re-used depending on SELinux environment #1330

Closed
56KBs opened this issue Jan 15, 2020 · 3 comments · Fixed by #1393
Closed

COPY cache not re-used depending on SELinux environment #1330

56KBs opened this issue Jan 15, 2020 · 3 comments · Fixed by #1393

Comments

@56KBs
Copy link

56KBs commented Jan 15, 2020
edited
Loading

Opened as requested by @thaJeztah in moby/moby#39003 (comment)_

When attempting to docker build with --cache-from the cache for COPY (and presumably ADD) commands is ignored if the two systems do not both use SELinux.

For example, if you were to build an image on Ubuntu (No SELinux) and use the image as a cache in CentOS (SELinux enabled by default), the cache is ignored for COPY commands. The same is true vice-versa.

To reproduce

I have done the following on Ubuntu 18.04 with Docker 19.03.5

FROM debian:stretch-slim
RUN ls -l
COPY ./this-is-a-file ./
RUN ls -l

And then

echo "this is a file" > this-is-a-file
DOCKER_BUILDKIT=1 docker build --build-arg BUILDKIT_INLINE_CACHE=1 --tag invalid-cache:ubuntu -f Dockerfile .

Push this image to a docker repository somewhere.

Then on a CentOS machine (Or anything with SELinux), create the same Dockerfile and run:

echo "this is a file" > this-is-a-file
docker pull debian:stretch-slim
docker pull invalid-cache:ubuntu
DOCKER_BUILDKIT=1 docker build --build-arg BUILDKIT_INLINE_CACHE=1 --cache-from invalid-cache:ubuntu--tag invalid-cache:centos -f Dockerfile .

You'll see that the cache isn't used for the COPY command. I have assumed this is due to the SELinux permissions, if you build the same image on the same machine with SELinux where this-is-a-file has different security context you'll notice the same issue.
@matti matti mentioned this issue Feb 13, 2020
Closed
@tonistiigi tonistiigi mentioned this issue Mar 4, 2020
Merged
@websolutions-hamburg
Copy link

Is this fix already included in the current Docker Release v19.03.8? I still have this issue with my local Mac OS v10.14 and Ubuntu v18.04.

@mttradebyte
Copy link

I too have the same issue running v19.03.9 on macOS and Ubuntu. Both machines produce reproducible image IDs when using --cache-from, but they differ between the two systems.

It looks like moby/moby references buildkit commit ae7ff71 which does include this change, so I'm confused why it's still creating differing IDs between the 2 systems.

@tonistiigi sorry for the @, but is there any chance you can confirm whether this is currently in docker-ce v19.03.9? A couple of us are still having issues and would just like to know if it's something else or indeed the same issue due to it not being released yet. Thanks.

@tonistiigi
Copy link
Member

This fix is not in 19.03

@mttradebyte mttradebyte mentioned this issue Jun 2, 2020
Merged
@thaJeztah thaJeztah mentioned this issue Jun 3, 2020
Merged
thaJeztah added a commit to thaJeztah/docker that referenced this issue Jul 16, 2020
@thaJeztah
[19.03] vendor: moby/buildkit v0.6.4-20-g4cb720ef
23d47bd 
full diff: moby/buildkit@dc6afa0...4cb720e

- contenthash: ignore system and security xattrs in calculation
    - fixes moby/buildkit#1330 COPY cache not re-used depending on SELinux environment
    - fixes moby#39003 (comment)
- contenthash: allow security.capability in cache checksum
- inline cache: fix handling of duplicate blobs
    - fixes moby/buildkit#1388 cache-from working unreliably

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah mentioned this issue Jul 16, 2020
Merged
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Jul 17, 2020
@thaJeztah
[19.03] vendor: moby/buildkit v0.6.4-20-g4cb720ef
e1e647a 
full diff: moby/buildkit@dc6afa0...4cb720e

- contenthash: ignore system and security xattrs in calculation
    - fixes moby/buildkit#1330 COPY cache not re-used depending on SELinux environment
    - fixes moby/moby#39003 (comment)
- contenthash: allow security.capability in cache checksum
- inline cache: fix handling of duplicate blobs
    - fixes moby/buildkit#1388 cache-from working unreliably

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 23d47bd12eaeeb93bbc4e9e80020c811e9eb2980
Component: engine
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

contenthash: ignore system and security xattrs in calculation tonistiigi/buildkit
4 participants
@tonistiigi @56KBs @websolutions-hamburg @mttradebyte