You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With the Buildkit feature enabled, a docker build does not read a .dockerignore file which is symlinked from outside the build context (i.e. outside the directory with Dockerfile). The build succeeds, but files and directories specified in the .dockerignore file are included in the image.
This behaviour is not exhibited when not using Buildkit for the build. I understand this might be intended but just wanting to confirm if this is the case or if it's an unintended bug.
If this is intended, should the build fail given it seemingly can't read the contents of .dockerignore?
@lawrence-law Yes. Builder should never access any path outside build context that was not set in the cli arguments. All paths have checks for that, looks like .dockerignore in the old implementation is missing it based on your report. Do not rely on this and expect it to be broken in the future.
@thaJeztah Do we want to classify this as security? As .dockerignore file handling is quite specific I think it is only an information leak atm. Did some tests and it doesn't look like think this can be used to read a random file into build context but hard to be sure with all these wrappers in the old implementation. By default looks that it is a broken symlink in context.
Description
With the Buildkit feature enabled, a
docker build
does not read a.dockerignore
file which is symlinked from outside the build context (i.e. outside the directory withDockerfile
). The build succeeds, but files and directories specified in the.dockerignore
file are included in the image.This behaviour is not exhibited when not using Buildkit for the build. I understand this might be intended but just wanting to confirm if this is the case or if it's an unintended bug.
If this is intended, should the build fail given it seemingly can't read the contents of
.dockerignore
?Steps to reproduce the issue:
.dockerignore
has one line inside it reading:tests/
.product
directory runDOCKER_BUILDKIT=1 docker build .
tests
directory.docker build .
without Buildkit enabledtests
directory.Describe the results you received:
Files and directories specified in the
.dockerignore
file are included in the Docker image.Describe the results you expected:
Files and directories specified in the
.dockerignore
file are not included in the Docker image.Additional information you deem important (e.g. issue happens only occasionally): N/A
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.): N/A
The text was updated successfully, but these errors were encountered: