DigitalOcean

Report this

What is the reason for this report?
Question

Build ARG in Dockerfile doesn't invalidate cache

Posted on August 5, 2021
DigitalOcean Container Registry (DOCR)
Docker
Caching
Retler

By Retler

Hello,

We have a 2-stage Dockerfile (Build+run) where we use a build ARG in the 1st stage. This build ARG is injected during the docker build ... command. When rebuilding the image with the same name and tag, but changing the build arg to something else, the value of the build ARG changes locally (can be verified by starting up the image locally), but when pushed to the DO container registry, the image still contains the old build ARG.

Is this a known issue? Is there anything in the caching mechanism than skips invalidation on ARG variables in the Dockerfile?



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Retler
Retler
August 8, 2021

I have managed to make a more simple and minimal Dockerfile which you can use to recreate the bug:

FROM alpine:latest

ARG PASSWORD
RUN echo $PASSWORD > /password 


ENTRYPOINT ["cat", "/password"]

Steps to recreate the cache bug:

  1. Build this Dockerfile with docker build -t registry.digitalocean.com/myreg/failcache -f failcache.dockerfile --build-arg PASSWORD=test .

  2. Push the image to DO container registry: docker push registry.digitalocean.com/myreg/failcache

  3. Run the container somewhere. In particular you can use kubernetes with the following pod spec:

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: failcache 
  name: failcache 
  namespace: keycloak
spec:
  serviceAccount: <sa-with-pull-access-to-registry>
  containers:
  - image: registry.digitalocean.com/myreg
    imagePullPolicy: Always
    name: failcache

  1. Notice how the log of the container says “test”

  2. Now rebuild the image locally with docker build -t registry.digitalocean.com/myreg/failcache -f failcache.dockerfile --build-arg PASSWORD=another-test .

  3. Push the image again to DO container registry and recreate the pod from step 3. The container log will still say “test”, even though the build-arg has changed.

Any insights on this is highly appreciated!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.