Non-deterministic precedence between `--build-arg no_proxy=...` and `~/.docker/config.json` proxy defaults

[Wenzel]

Description

I’m seeing non-deterministic behavior in docker build where an explicit --build-arg no_proxy=... sometimes gets overridden by the proxy default from Docker client config.json (proxies.default.noProxy).

Repeating the same build command produces different results across runs.

Reproduce

# allow to override Docker client proxies if necessary
ARG http_proxy
ARG https_proxy
ARG no_proxy

FROM ubuntu:24.04
# redeclare ARGs
ARG http_proxy
ARG https_proxy
ARG no_proxy

RUN <<EOF
env | grep -i proxy
exit 1
EOF

$HOME/.docker/config.json

{
    "proxies":
    {
        "default": {
            "noProxy": "my_default_noproxy_value_from_config.json"
        }
    }

}

Repeatedly run docker build --build-arg no_proxy="my_cmdline_value" .

Expected behavior

When a user explicitly passes a build-arg on the command line, it should always take precedence over proxy defaults coming from ~/.docker/config.json.

For example, running:

docker build --build-arg no_proxy="my_cmdline_value" .

should deterministically result in the build environment using:

• no_proxy=my_cmdline_value and/or
• NO_PROXY=my_cmdline_value

and it should never be replaced by proxies.default.noProxy (e.g. my_default_noproxy_value_from_config.json), regardless of how many times the build is repeated.

docker version

Client: Docker Engine - Community
 Version:           25.0.2
 API version:       1.44
 Go version:        go1.21.6
 Git commit:        29cf629
 Built:             Thu Feb  1 00:23:03 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          25.0.2
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.6
  Git commit:       fce6e0c
  Built:            Thu Feb  1 00:23:03 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    25.0.2
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.5
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 9
 Server Version: 25.0.2
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-94-generic
 Operating System: Ubuntu 24.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 15.25GiB
 Name: galaxy-book2
 ID: 4144eb0b-0084-4392-ac18-9c39ce54c05d
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

Confirmed on 2 differents hosts, with 2 docker engines:(25.0.2 and 27.5.1)

[Best2Two]

Hey @Wenzel are you working on fixing this issue? If not Can I work on it?

[Wenzel]

Hey @Best2Two,

Thanks for looking at it !

I'm not a Docker contributor, so feel free to explore this issue.

[Best2Two]

Thank you,
@thaJeztah Can you please assign it to me as a first time contributer? If that's not possible can I submit a PR on my own ?

[thaJeztah]

I wonder if this is caused because you're defining these build-args in the Dockerfile; the _proxy (and uppercase _PROXY) build-args are special-cased, pre-defined build-args;

From the documentation; https://docs.docker.com/reference/dockerfile/#predefined-args

Predefined ARGs

Docker has a set of predefined ARG variables that you can use without a
corresponding ARG instruction in the Dockerfile.

• HTTP_PROXY
• http_proxy
• HTTPS_PROXY
• https_proxy
• FTP_PROXY
• ftp_proxy
• NO_PROXY
• no_proxy
• ALL_PROXY
• all_proxy

I wonder if because the dockerfile now defines build-args (but ONLY lowercase), detection of these overrides gets non-deterministic.

A quick test (without a ~/.docker/config.json defining defaults) shows that all these vars are set when passing build-args;

docker build --build-arg http_proxy=one --build-arg https_proxy=two --build-arg no_proxy=three --build-arg ftp_proxy=four --build-arg all_proxy=five -<<'EOF'
FROM ubuntu:24.04
RUN env | grep -i proxy && exit 1
EOF

Outputs;

 => ERROR [2/2] RUN env | grep -i proxy && exit 1                                                        0.2s
------
 > [2/2] RUN env | grep -i proxy && exit 1:
0.206 HTTPS_PROXY=two
0.206 no_proxy=three
0.206 all_proxy=five
0.206 NO_PROXY=three
0.206 https_proxy=two
0.206 ALL_PROXY=five
0.206 http_proxy=one
0.206 ftp_proxy=four
0.206 FTP_PROXY=four
0.206 HTTP_PROXY=one

[crazy-max]

The root cause appears to be that Buildx can send both build-arg:no_proxy from the CLI and build-arg:NO_PROXY from ~/.docker/config.json because the override check is case-sensitive in Buildx, while BuildKit later matches proxy args case-insensitively and iterates a Go map, so the winning value depends on map iteration order.

In Buildx, the relevant merge logic is around the opt.BuildArgs and node.ProxyConfig loops:

buildx/build/opt.go

Lines 481 to 483 in 2ed4ece

	for k, v := range opt.BuildArgs {
	so.FrontendAttrs["build-arg:"+k] = v
	}

buildx/build/opt.go

Lines 529 to 533 in 2ed4ece

	for k, v := range node.ProxyConfig {
	if _, ok := opt.BuildArgs[k]; !ok {
	so.FrontendAttrs["build-arg:"+k] = v
	}
	}

And proxy defaults are currently emitted as uppercase keys in

buildx/store/storeutil/storeutil.go

Lines 28 to 52 in 2ed4ece

	func GetProxyConfig(dockerCli command.Cli) map[string]string {
	cfg := dockerCli.ConfigFile()
	host := dockerCli.Client().DaemonHost()
	proxy, ok := cfg.Proxies[host]
	if !ok {
	proxy = cfg.Proxies["default"]
	}
	m := map[string]string{}
	if v := proxy.HTTPProxy; v != "" {
	m["HTTP_PROXY"] = v
	}
	if v := proxy.HTTPSProxy; v != "" {
	m["HTTPS_PROXY"] = v
	}
	if v := proxy.NoProxy; v != "" {
	m["NO_PROXY"] = v
	}
	if v := proxy.FTPProxy; v != "" {
	m["FTP_PROXY"] = v
	}
	return m
	}

In BuildKit, the relevant logic is proxyEnvFromBuildArgs in https://github.com/moby/buildkit/blob/5245d869d85d9c98f986b600584c332a3b001986/frontend/dockerfile/dockerfile2llb/convert.go#L2137-L2166 which uses strings.EqualFold during map iteration.

This makes explicit CLI --build-arg no_proxy=... precedence non-deterministic whenever both case variants are present, so this looks like a real bug.