Build ARG in Dockerfile doesn't invalidate cache

Posted August 5, 2021 414 views
DockerCachingDigitalOcean Container Registry (DOCR)


We have a 2-stage Dockerfile (Build+run) where we use a build ARG in the 1st stage. This build ARG is injected during the docker build ... command. When rebuilding the image with the same name and tag, but changing the build arg to something else, the value of the build ARG changes locally (can be verified by starting up the image locally), but when pushed to the DO container registry, the image still contains the old build ARG.

Is this a known issue? Is there anything in the caching mechanism than skips invalidation on ARG variables in the Dockerfile?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

I have managed to make a more simple and minimal Dockerfile which you can use to recreate the bug:

FROM alpine:latest

RUN echo $PASSWORD > /password 

ENTRYPOINT ["cat", "/password"] 

Steps to recreate the cache bug:

  1. Build this Dockerfile with docker build -t -f failcache.dockerfile --build-arg PASSWORD=test .

  2. Push the image to DO container registry: docker push

  3. Run the container somewhere. In particular you can use kubernetes with the following pod spec:

    apiVersion: v1
    kind: Pod
    app: failcache 
    name: failcache 
    namespace: keycloak
    serviceAccount: <sa-with-pull-access-to-registry>
    - image:
    imagePullPolicy: Always
    name: failcache
  4. Notice how the log of the container says “test”

  5. Now rebuild the image locally with docker build -t -f failcache.dockerfile --build-arg PASSWORD=another-test .

  6. Push the image again to DO container registry and recreate the pod from step 3. The container log will still say “test”, even though the build-arg has changed.

Any insights on this is highly appreciated!