File based build secrets not accessible when using .dockerignore that excludes everything and adds exceptions #25314
Description
Issue Description
Our project template uses a .dockerignore that starts with * to ignore ALL files. We then add specific lines prefixed with ! to create exceptions. This way, we do not have issues with too large contexts being send to the engine.
However, this appears to break the type=file build-secrets:
$ podman build --secret=id=MY_SECRET,type=file,src=${SECRETS_FILE} --no-cache -t foo .
Error: failed to parse query parameter 'secrets': "[\"id=MY_SECRET,type=file,src=podman-build-secret1918992619\"]": rename /var/tmp/libpod_builder3673920082/build/podman-build-secret1918992619 /var/tmp/libpod_builder3673920082/podman-build-secret1918992619: no such file or directoryAdding a line !*podman-build-secret* to the .dockerignore seems to be a workaround, but preferably would not want to create exceptions for these names
The problem seems to occur both on mac and windows with type=file based build-secrets. However, more important on mac because on windows the actual docker image build with a file-based secret always results in a different error.
Steps to reproduce the issue
Steps to reproduce the issue
- Create a new empty folder
- Inside empty folder, create a file
.dockerignorewith the following contents:
*
- Create a new file
Dockerfilewith the following contents:
FROM alpine
RUN --mount=type=secret,id=MY_SECRET \
ls -la /run/secrets && \
cat /run/secrets/MY_SECRET
- Execute the following command:
SECRETS_FILE=$(mktemp) ; echo "Super Secret" > $SECRETS_FILE ; podman build --secret=id=MY_SECRET,type=file,src=${SECRETS_FILE} --no-cache -t foo .
Describe the results you received
The above steps result in the following error:
Error: failed to parse query parameter 'secrets': "[\"id=MY_SECRET,type=file,src=podman-build-secret1918992619\"]": rename /var/tmp/libpod_builder3673920082/build/podman-build-secret1918992619 /var/tmp/libpod_builder3673920082/podman-build-secret1918992619: no such file or directory
Describe the results you expected
I would expect this command to work without the need for adding !*podman-build-secret* to the .dockerignore file.
The reproduction steps do not result in any error when using docker (though using docker on a linux machine, not on the mac since I do not have the option of running docker on my mac).
podman info output
host:
arch: arm64
buildahVersion: 1.38.1
cgroupControllers:
- cpuset
- cpu
- io
- memory
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.12-3.fc41.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.12, commit: '
cpuUtilization:
idlePercent: 99.74
systemPercent: 0.13
userPercent: 0.13
cpus: 4
databaseBackend: sqlite
distribution:
distribution: fedora
variant: coreos
version: "41"
eventLogger: journald
freeLocks: 2048
hostname: localhost.localdomain
idMappings:
gidmap: null
uidmap: null
kernel: 6.12.7-200.fc41.aarch64
linkmode: dynamic
logDriver: journald
memFree: 1610174464
memTotal: 2042269696
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.13.1-1.fc41.aarch64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.13.1
package: netavark-1.13.1-1.fc41.aarch64
path: /usr/libexec/podman/netavark
version: netavark 1.13.1
ociRuntime:
name: crun
package: crun-1.19.1-1.fc41.aarch64
path: /usr/bin/crun
version: |-
crun version 1.19.1
commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
rundir: /run/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20241211.g09478d5-1.fc41.aarch64
version: |
pasta 0^20241211.g09478d5-1.fc41.aarch64-pasta
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: unix:///run/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.3.1-1.fc41.aarch64
version: |-
slirp4netns version 1.3.1
commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
libslirp: 4.8.0
SLIRP_CONFIG_VERSION_MAX: 5
libseccomp: 2.5.5
swapFree: 0
swapTotal: 0
uptime: 0h 54m 4.00s
variant: v8
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- docker.io
store:
configFile: /usr/share/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.imagestore: /usr/lib/containers/storage
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphRootAllocated: 106415992832
graphRootUsed: 4343402496
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "false"
Supports d_type: "true"
Supports shifting: "true"
Supports volatile: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 4
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 5.3.2
Built: 1737504000
BuiltTime: Wed Jan 22 01:00:00 2025
GitCommit: ""
GoVersion: go1.23.4
Os: linux
OsArch: linux/arm64
Version: 5.3.2Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
Yes
Additional environment details
No response
Additional information
On a windows machine the error is the same:
C:\Users\guido\testing_secrets>podman build --secret=id=MY_SECRET,type=file,src=mysecret.txt --no-cache -t foo .
Error: failed to parse query parameter 'secrets': "[\"id=MY_SECRET,type=file,src=podman-build-secret1067707365\"]": rename /var/tmp/libpod_builder3212319988/build/podman-build-secret1067707365 /var/tmp/libpod_builder3212319988/podman-build-secret1067707365: no such file or directory
However, if on the windows machine I update the .dockerignore file to exclude podman-build-secret files, I get a different error:
C:\Users\guido\testing_secrets>podman build --secret=id=MY_SECRET,type=file,src=mysecret.txt --no-cache -t foo .
time="2025-02-13T09:49:18+01:00" level=error msg="1 error occurred:\n\t* archive/tar: write too long\n\n\n"
Error: Post "http://d/v5.3.1/libpod/build?compatvolumes=0&dockerfile=%5B%22Dockerfile%22%5D&forcerm=1&httpproxy=1&identitylabel=1&idmappingoptions=%7B%22HostUIDMapping%22%3Atrue%2C%22HostGIDMapping%22%3Atrue%2C%22UIDMap%22%3A%5B%5D%2C%22GIDMap%22%3A%5B%5D%2C%22AutoUserNs%22%3Afalse%2C%22AutoUserNsOpts%22%3A%7B%22Size%22%3A0%2C%22InitialSize%22%3A0%2C%22PasswdFile%22%3A%22%22%2C%22GroupFile%22%3A%22%22%2C%22AdditionalUIDMappings%22%3Anull%2C%22AdditionalGIDMappings%22%3Anull%7D%7D&isolation=0&jobs=1&layers=1&networkmode=0&nocache=1&nsoptions=%5B%7B%22Name%22%3A%22user%22%2C%22Host%22%3Atrue%2C%22Path%22%3A%22%22%7D%5D&omithistory=0&output=foo&outputformat=application%2Fvnd.oci.image.manifest.v1%2Bjson&pullpolicy=missing&retry=3&retry-delay=2s&rm=1&secrets=%5B%22id%3DMY_SECRET%2Ctype%3Dfile%2Csrc%3Dpodman-build-secret2169833388%22%5D&shmsize=67108864&t=foo": io: read/write on closed pipe