Azure
Allow `buildkit` build in `az acr build`
What is the problem you're trying to solve
I'd like to use new BuildKit features in my Dockerfile.
Describe the solution you'd like
It would be nice to have an argument to use BuildKit build in acr build task, e.g. --buildkit
Additional context Related issue: https://github.com/apache/airflow/issues/27690
Is there any updates on this feature? we need buildkit to be working on acr for one of our publish functionalities.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I believe you can only do it using the ACR task template, as a wrapper for the "docker build" command, which runs in a "build" step on the ACR agent.
version: v1.1.0
steps:
- id: <task-name>
build: --tag $Registry/<image-name>:$ID --file <path-to-dockerfile> . --build-arg SOMETHING={{.Values.SOMETHING}}
when: ["-"]
env:
- DOCKER_BUILDKIT=1
It appears to be working for me in a similar use-case.
@terencet-dev Sorry to nudge again, but is there any word on buildkit being supported?
Not being able to use mounts (esp. for secret/ssh) is proving to be a major feature gap in acr.
So by combining some answers here and from StackOverflow
acr-build-file.yml
version: v1.1.0
steps:
- build: -t $Registry/{{.Values.image}} --file <path_to_your_Dockerfile> .
env:
- DOCKER_BUILDKIT=1
- push:
- "$Registry/{{.Values.image}}"
Command to use
cd <source_folder>
az acr run \
-f ./acr-build-task.yml \
--registry <acr_name> \
--set image="<image_name>:<image_tag>" .
It worked for me
As of the moment, we don't have plans to support the flag. However, buildkit is supported through the steps that @doanduyhai showed above
Ran into this issue today. Here's my acr-task.yml file that got the job done. If there's a better way around this, please let me know.
# This is necessary because `az acr build` with the `--secret-build-arg` flag fails with a "the --mount option requires BuildKit" error message.
# @see https://github.com/Azure/acr/issues/721
# @see https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tasks-reference-yaml
version: v1.1.0
steps:
- build: >-
-t $Registry/{{.Values.IMAGE_REPO}}:{{.Values.tag}}
-f Dockerfile
.
--secret id=github_token,env=GITHUB_TOKEN
env:
- DOCKER_BUILDKIT=1
- GITHUB_TOKEN={{.Values.GITHUB_TOKEN}}
- push:
- $Registry/{{.Values.IMAGE_REPO}}:{{.Values.tag}}
Then the associated GitHub Workflow step:
# - I originally tried passing the `--secret-build-arg` flag to `az acr build`, but the step fails with a "the --mount option requires BuildKit" error message.
# - Using the `--build-arg` flag with `az acr build` would expose the secret in the image layers, which is not secure.
# - So, this step uses `az acr run` with an `acr-task.yml` file because we need to be able to use Docker BuildKit features in our Dockerfile to securely pass the GitHub token as a secret mount.
# @see # https://github.com/Azure/acr/issues/721
# @see https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tasks-reference-yaml
- name: Build image
run: |
az acr run \
--registry "$ACR_NAME" \
--file acr-task.yml \
--set tag="${{ steps.meta.outputs.tag }}" \
--set IMAGE_REPO="${IMAGE_REPO}" \
--set GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" \
.
And, for full context, the Dockerfile:
# syntax=docker/dockerfile:1.7
FROM node:24-alpine3.21 AS deps
WORKDIR /usr/src/app
# Make base tools available for native modules if needed (kept minimal).
RUN apk add --no-cache libc6-compat
# Copy only files needed for dependency resolution for better caching.
COPY package.json package-lock.json ./
COPY .npmrc ./
# Install dependencies. Use a secret mount for GITHUB_TOKEN instead of ARG or ENV to avoid leaking it in image layers. This requires BuildKit to be enabled.
RUN --mount=type=secret,id=github_token \
GITHUB_TOKEN=$(cat /run/secrets/github_token) \
npm ci --ignore-scripts --no-audit --fund=false
