buildah icon indicating copy to clipboard operation
buildah copied to clipboard

Published 20 hours ago verified publisher icon containers

build can update an existing image incorrectly when the Dockerfile should use different environment variables

Open TrevorBenson opened this issue 1 year ago • 5 comments

Issue Description

Build args passed in and used to define an environment variable do not get properly set when building the image.

In my case

  • building an image using build args
  • build arg used to define an environment variable
  • environment varaible also used in the CMD declaration

Results in each build using the same Dockerfile, with different values, adding additional names/tags to the first image that was built with the Dockerfile.

podman version

Client:       Podman Engine
Version:      4.8.3
API Version:  4.8.3
Go Version:   go1.21.5
Built:        Wed Jan  3 06:11:40 2024
OS/Arch:      linux/amd64

rpm -q podman

podman-4.8.3-1.fc39.x86_64

Steps to reproduce the issue

Steps to reproduce the issue

  1. Create a Dockerfile that uses ARG, ENV and CMD
FROM alpine:latest

ARG VERSION

ENV VERSION=${VERSION}

CMD ["echo", "${VERSION}"]
  1. Run podman build podman build . --file Dockerfile --build-arg=VERSION="v1" --tag test-image-v1
  2. Run podman build podman build . --file Dockerfile --build-arg=VERSION="v2" --tag test-image-v2
  3. Observe the odd output after building the second image:
Successfully tagged localhost/test-image-v2:latest
Successfully tagged localhost/test-image-v1:latest
46f3aaa11f7e9dd3caf28a2d485e527f6123169cd61f9ae9305de601175b7bb0

Describe the results you received

After building the second image the first image is seen as an identical build. Upon inspection of the images it can be determined that the --build-arg=VERSION="v2" did not get properly handled:

podman image inspect localhost/test-image-v1:latest | jq '.[].Config.Env[1]'
"VERSION=v1"
podman image inspect localhost/test-image-v2:latest | jq '.[].Config.Env[1]'
"VERSION=v1"

Describe the results you expected

The test-image-v2 should have "VERSION=v2" defined in the configuration, not "VERSION=v1", and should not update the image names and/or tags of the first image built from the Dockerfile.

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.2
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.8-2.fc39.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: '
  cpuUtilization:
    idlePercent: 69.22
    systemPercent: 7.07
    userPercent: 23.71
  cpus: 12
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: workstation
    version: "39"
  eventLogger: journald
  freeLocks: 1913
  hostname: tbtpx1e2.local
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.5.11-300.fc39.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 1129353216
  memTotal: 33261834240
  networkBackend: cni
  networkBackendInfo:
    backend: cni
    dns:
      package: podman-plugins-4.8.3-1.fc39.x86_64
      path: /usr/libexec/cni/dnsname
      version: |-
        CNI dnsname plugin
        version: 1.3.1
        commit: unknown
    package: |-
      containernetworking-plugins-1.3.0-3.fc39.x86_64
      podman-plugins-4.8.3-1.fc39.x86_64
    path: /usr/libexec/cni
  ociRuntime:
    name: crun
    package: crun-1.12-1.fc39.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.12
      commit: ce429cb2e277d001c2179df1ac66a470f00802ae
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20231204.gb86afe3-1.fc39.x86_64
    version: |
      pasta 0^20231204.gb86afe3-1.fc39.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-1.fc39.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 43103162368
  swapTotal: 43251654656
  uptime: 512h 8m 36.00s (Approximately 21.33 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/trevorbenson/.config/containers/storage.conf
  containerStore:
    number: 39
    paused: 0
    running: 0
    stopped: 39
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/trevorbenson/.local/share/containers/storage
  graphRootAllocated: 844345794560
  graphRootUsed: 746514149376
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 2931
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/trevorbenson/.local/share/containers/storage/volumes
version:
  APIVersion: 4.8.3
  Built: 1704291100
  BuiltTime: Wed Jan  3 06:11:40 2024
  GitCommit: ""
  GoVersion: go1.21.5
  Os: linux
  OsArch: linux/amd64
  Version: 4.8.3

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

  • I am running Fedora 39.
  • I mentioned rootless for the Privileged Or Rootless question about running the container, but mean rootless for building the container.

Additional information

  • The issue appears to be persistent, or at least I have not observed an instance where it does not occur.
  • This appears to be a difference between podman and docker (or I suppose more accurately buildah and docker?).
    • When building with docker build using version 23.0.4 with docker api version 1.42, on an Ubuntu 22.04 system this does not occur.
    • Each image, test-image-v1:latest and test-image-v2:latest, is unique and contains the environment variable as defined from --build-arg in its configuration definition.
  • I suspect the example to use the environment variable in the final CMD was invalid instead of using an ENTRYPOINT script that would consume the environment variable, as both podman and docker result in an echo of ${VERSION}. However different environment variables still result in unique images being built under docker, and result in an update of name/tags under podman (buildah?).

TrevorBenson avatar Jan 12 '24 01:01 TrevorBenson

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Feb 12 '24 00:02 github-actions[bot]

Ping

TrevorBenson avatar Feb 27 '24 13:02 TrevorBenson

@flouthoc PTAL

rhatdan avatar Feb 27 '24 18:02 rhatdan

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Mar 29 '24 00:03 github-actions[bot]