Unnecessary dockerignore warning

[elderapo]

Hello, I just upgraded my stack from @pulumi/docker v3 to v4 and started noticing the following warning (for each image built, pretty annoying when building multiple images):

warning: It looks like you are trying to dockerignore a build file such as `Dockerfile` or `.dockerignore`. To avoid accidentally copying these files to your image, please ensure any copied file systems do not include `Dockerfile` or `.dockerignore`.

It's completely ok and makes sense to explicitly ignore Dockerfile & .dockerignore files. In 99.9% of the cases, they have no reason to end up inside an image. In my opinion, this warning brings no value and is only slightly annoying.

If you do COPY . . and docker ignore only the files that you don't want to be included in the build context, it doesn't matter whether or not you have Dockerfile/.dockerignore inside of .dockerignore.

[mjeffryes]

Hi @elderapo, sorry the message is annoying; UUIC, I think the message is trying to warn that the docker.Image resource may inadvertently copy the Dockerfile and .dockerignore into your container even through these files are excluded in your .dockerignore. (More context on the original PR here: #508)

Totally understand that it's surprising when the Image resource behavior doesn't match the behavior of the docker cli exactly. We're working on a revision of the Image resource that tries to more closely match the cli behavior.

[elderapo]

@mjeffryes Thanks for the quick reply!

the docker.Image resource may inadvertently copy the Dockerfile and .dockerignore into your container even through these files are excluded in your .dockerignore.

I think this assumption is incorrect. I just did a quick test with:

Dockerfile

FROM node:20

COPY . .

RUN ls -la && plzfail

if there is no .dockerignore the output is:

 > [3/3] RUN ls -la && plzfail:                                                                                                                   
0.285 total 60                                                                                                                                    
0.285 drwxr-xr-x   1 root root 4096 Feb 14 07:28 .                                                                                                
0.285 drwxr-xr-x   1 root root 4096 Feb 14 07:28 ..                                                                                               
0.285 -rw-rw-r--   1 root root   45 Feb 14 07:27 Dockerfile                                                                                       
0.285 lrwxrwxrwx   1 root root    7 Feb 11 00:00 bin -> usr/bin
0.285 drwxr-xr-x   2 root root 4096 Jan 28 21:20 boot
0.285 drwxr-xr-x   5 root root  340 Feb 14 07:28 dev
0.285 drwxr-xr-x   1 root root 4096 Feb 14 07:28 etc
0.285 drwxr-xr-x   1 root root 4096 Feb 13 08:11 home
0.285 lrwxrwxrwx   1 root root    7 Feb 11 00:00 lib -> usr/lib
0.285 lrwxrwxrwx   1 root root    9 Feb 11 00:00 lib64 -> usr/lib64
0.285 drwxr-xr-x   2 root root 4096 Feb 11 00:00 media
0.285 drwxr-xr-x   2 root root 4096 Feb 11 00:00 mnt
0.285 drwxr-xr-x   1 root root 4096 Feb 13 08:14 opt
0.285 dr-xr-xr-x 626 root root    0 Feb 14 07:28 proc
0.285 drwx------   1 root root 4096 Feb 13 08:13 root
0.285 drwxr-xr-x   1 root root 4096 Feb 13 01:21 run
0.285 lrwxrwxrwx   1 root root    8 Feb 11 00:00 sbin -> usr/sbin
0.285 drwxr-xr-x   2 root root 4096 Feb 11 00:00 srv
0.285 dr-xr-xr-x  13 root root    0 Feb 14 07:28 sys
0.285 drwxrwxrwt   1 root root 4096 Feb 13 08:14 tmp
0.285 drwxr-xr-x   1 root root 4096 Feb 11 00:00 usr
0.285 drwxr-xr-x   1 root root 4096 Feb 11 00:00 var
0.285 /bin/sh: 1: plzfail: not found

as you can see, the Dockerfile can be found inside of an image build step. But if we add .dockerignore with the following content:

Dockerfile
.dockerignore

the actual output is:

 > [3/3] RUN ls -la && plzfail:                                                                                                                   
0.273 total 56                                                                                                                                    
0.273 drwxr-xr-x   1 root root 4096 Feb 14 07:29 .                                                                                                
0.273 drwxr-xr-x   1 root root 4096 Feb 14 07:29 ..                                                                                               
0.273 lrwxrwxrwx   1 root root    7 Feb 11 00:00 bin -> usr/bin                                                                                   
0.273 drwxr-xr-x   2 root root 4096 Jan 28 21:20 boot
0.273 drwxr-xr-x   5 root root  340 Feb 14 07:29 dev
0.273 drwxr-xr-x   1 root root 4096 Feb 14 07:29 etc
0.273 drwxr-xr-x   1 root root 4096 Feb 13 08:11 home
0.273 lrwxrwxrwx   1 root root    7 Feb 11 00:00 lib -> usr/lib
0.273 lrwxrwxrwx   1 root root    9 Feb 11 00:00 lib64 -> usr/lib64
0.273 drwxr-xr-x   2 root root 4096 Feb 11 00:00 media
0.273 drwxr-xr-x   2 root root 4096 Feb 11 00:00 mnt
0.273 drwxr-xr-x   1 root root 4096 Feb 13 08:14 opt
0.273 dr-xr-xr-x 629 root root    0 Feb 14 07:29 proc
0.273 drwx------   1 root root 4096 Feb 13 08:13 root
0.273 drwxr-xr-x   1 root root 4096 Feb 13 01:21 run
0.273 lrwxrwxrwx   1 root root    8 Feb 11 00:00 sbin -> usr/sbin
0.273 drwxr-xr-x   2 root root 4096 Feb 11 00:00 srv
0.273 dr-xr-xr-x  13 root root    0 Feb 14 07:29 sys
0.273 drwxrwxrwt   1 root root 4096 Feb 13 08:14 tmp
0.273 drwxr-xr-x   1 root root 4096 Feb 11 00:00 usr
0.273 drwxr-xr-x   1 root root 4096 Feb 11 00:00 var
0.273 /bin/sh: 1: plzfail: not found

So I suspect what's happening is that Dockerfile & .dockerignore have to be copied into tar (even if dockerignored) but it's just so "docker build daemon" can figure what should/should not be put into the actual image docker layers.

---

Edit: I think my theory is on point, check out this comment here.

[blampe]

I agree this is confusing.

For background, Pulumi computes its own hash of your build context (separate from Docker's) to decide whether it needs to actually run an update. To do that it tries to respect your .dockerignore, but it also needs to include your Dockerfile contents in the hash. To accomplish this it currently modifies your .dockerignore exclusions to try un-excluding your Dockerfile -- but this has no bearing on the final image, only on Pulumi's hash.

#962 simplifies this build context calculation. In the meantime we can remove the warning in #1001.