Question

Build ARG in Dockerfile doesn't invalidate cache

Hello,

We have a 2-stage Dockerfile (Build+run) where we use a build ARG in the 1st stage. This build ARG is injected during the docker build ... command. When rebuilding the image with the same name and tag, but changing the build arg to something else, the value of the build ARG changes locally (can be verified by starting up the image locally), but when pushed to the DO container registry, the image still contains the old build ARG.

Is this a known issue? Is there anything in the caching mechanism than skips invalidation on ARG variables in the Dockerfile?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

I have managed to make a more simple and minimal Dockerfile which you can use to recreate the bug:

FROM alpine:latest

ARG PASSWORD
RUN echo $PASSWORD > /password 


ENTRYPOINT ["cat", "/password"] 

Steps to recreate the cache bug:

  1. Build this Dockerfile with docker build -t registry.digitalocean.com/myreg/failcache -f failcache.dockerfile --build-arg PASSWORD=test .

  2. Push the image to DO container registry: docker push registry.digitalocean.com/myreg/failcache

  3. Run the container somewhere. In particular you can use kubernetes with the following pod spec:

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: failcache 
  name: failcache 
  namespace: keycloak
spec:
  serviceAccount: <sa-with-pull-access-to-registry>
  containers:
  - image: registry.digitalocean.com/myreg
    imagePullPolicy: Always
    name: failcache
  1. Notice how the log of the container says “test”

  2. Now rebuild the image locally with docker build -t registry.digitalocean.com/myreg/failcache -f failcache.dockerfile --build-arg PASSWORD=another-test .

  3. Push the image again to DO container registry and recreate the pod from step 3. The container log will still say “test”, even though the build-arg has changed.

Any insights on this is highly appreciated!