cli with buildkit will ignore dockerignore's check

Created on 11 Jun 2019 · 5Comments · Source: docker/cli

Description
docker CLI with builkit enabled will ignore .dockerignore file's read errors.

Steps to reproduce the issue:

(MoeLove) ➜  x cat Dockerfile 
FROM scratch

COPY foo foo
COPY bar bar
(MoeLove) ➜  x ls 
bar  Dockerfile  foo
(MoeLove) ➜  x cat Dockerfile 
FROM scratch

COPY foo foo
COPY bar bar
(MoeLove) ➜  x ls -al .dockerignore 
----------. 1 tao tao 4 6月  12 02:10 .dockerignore
(MoeLove) ➜  x cat .dockerignore           
cat: .dockerignore: Permission denied
(MoeLove) ➜  x whoami
tao
(MoeLove) ➜  x docker build --no-cache -t local/ignore .
[+] Building 0.1s (6/6) FINISHED                                                                                 
 => [internal] load .dockerignore                                                                           0.0s
 => => transferring context: 91B                                                                            0.0s
 => [internal] load build definition from Dockerfile                                                        0.0s
 => => transferring dockerfile: 95B                                                                         0.0s
 => [internal] load build context                                                                           0.0s
 => => transferring context: 162B                                                                           0.0s
 => [1/2] COPY foo foo                                                                                      0.0s
 => [2/2] COPY bar bar                                                                                      0.0s
 => exporting to image                                                                                      0.0s
 => => exporting layers                                                                                     0.0s
 => => writing image sha256:5ae5f1e9c56ee852af6a47c0aa4fe78fba3853e720171047617e8b022f06f456                0.0s
 => => naming to docker.io/local/ignore                                                                     0.0s

Describe the results you received:

Build image successfully.

Describe the results you expected:

Build image failed.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

(MoeLove) ➜  x docker version                                                                                    
Client: Docker Engine - Community
 Version:           0.0.0-20190607210243-b93f571b01
 API version:       1.40   
 Go version:        go1.12.5 
 Git commit:        b93f571b01
 Built:             Sat Jun  8 07:31:22 2019
 OS/Arch:           linux/amd64
 Experimental:      true

Output of docker info:

(paste your output here)

Additional environment details (AWS, VirtualBox, physical, etc.):
physical

arebuilder

Source

tao12345666333

Most helpful comment

@tiborvass the problem looks to be that a user has a .dockerignore, but the CLI doesn't have permissions to read it, and then continues the build _without_ using the .dockerignore instead of failing the build

thaJeztah on 1 Jul 2019

👍3

All 5 comments

@tao12345666333 i'm curious to know what the usecase is for relying on the failure.

tiborvass on 1 Jul 2019

thaJeztah on 1 Jul 2019

👍3

yep. when I build image without buildkit enabled, it will failed and return permission denied.

tao12345666333 on 2 Jul 2019

I believe this is very inconsistent in old builder. Files in context ignores permission error and .dockerignore does not. So I guess this is completely accidental behavior. Buildkit standardizes this and uses the same code for all the files without exceptions.