Fix: Avoid staging Dockerfiles into read-only build contexts#1343
Closed
mazdak wants to merge 1 commit into
Closed
Fix: Avoid staging Dockerfiles into read-only build contexts#1343mazdak wants to merge 1 commit into
mazdak wants to merge 1 commit into
Conversation
Contributor
|
Hi @mazdak Thank you for reporting this issue! Confirming I guess this solution might not be the best one as it couldn't support docker specific ignore when the build context is read only. We might need to update fssync to handle Dockerfile and ignore file selectively. Thanks! |
This was referenced Mar 25, 2026
Merged
Contributor
|
@mazdak I just made some PRs for this issue. |
Contributor
Author
No problem at all. I am happy to just see this resolved. |
JaewonHur
added a commit
to apple/container-builder-shim
that referenced
this pull request
Apr 18, 2026
This PR resolves the issue when using docker specific ignore file with read-only build context (apple/container#1343). Once the `dockerignore` argument is provided in `PerformBuild` gRPC, it performs following two operations. First, after unpacking transferred build context archive into `cache` directory, it creates a `DockerfileStaging` (i.e., `.com.apple.container`) directory there, and copies `Dockerfile` and `Dockerfile.dockerignore`. The path to `DockerfileStaging` is passed to the buildkit daemon so that it can correctly figure out which dockerignore file to read. Second, it handles data requests for `Dockerfile` and `Dockerfile.dockerignore` (i.e., `diffcopy.go:sender::sendFile`), so that the requests before the actual files are written can be correctly served---i.e., refer #71 for more context about this race issue.
JaewonHur
added a commit
that referenced
this pull request
Apr 20, 2026
This PR resolves #1343. This PR depends on apple/container-builder-shim#72. Do not create staging directory under build context, but pass dockerignore file bytes to the container-builder-shim. ## Type of Change - [x] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context [Why is this change needed?] ## Testing - [x] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
Motivation and Context
While building our docker-compose-like compose system for container, we noticed an issue in the build phase. The current build path always creates
.com.apple.container.dockerfiles/inside the context and writes a staged Dockerfile there.That introduces an issue for:
Those builds can fail before BuildKit starts, even when there is no .dockerignore to rewrite. Here, we fix container build so it does not require write access to the build context unless it actually needs to synthesize staged Dockerfile artifacts.
Fix
This preserves the existing staged-ignore behavior where it is needed, while avoiding unnecessary writes for simple read-only contexts.
Testing