8000 Cache broken for cross-architecture builds with DOCKER_BUILDKIT=0 since CVE-2024-24557 · Issue #49947 · moby/moby · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Cache broken for cross-architecture builds with DOCKER_BUILDKIT=0 since CVE-2024-24557 #49947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dcaputo-harmoni opened this issue May 9, 2025 · 0 comments
Open

Cache broken for cross-architecture builds with DOCKER_BUILDKIT=0 since CVE-2024-24557 #49947

dcaputo-harmoni opened this issue May 9, 2025 · 0 comments
Labels
area/builder/classic-builder Issues affecting the classic builder area/builder help wanted kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. status/0-triage

Comments

@dcaputo-harmoni
Copy link
dcaputo-harmoni commented May 9, 2025
edited
Loading

Description

Since the fix for CVE-2024-24557, layer caching no longer works when building container images for a different architecture than the host (i.e. cross-architecture builds) using the classic builder (DOCKER_BUILDKIT=0).

This regression only affects the classic builder, and can be easily reproduced by comparing Docker versions 25.0.1 (before the fix) and 25.0.2 (after the fix) when building images for a non-native architecture (e.g., --platform=linux/arm64 on an amd64 host).

Note: These examples assume the host architecture is not ARM64. If running on an ARM64 host, replace --platform=linux/arm64 with a different architecture (e.g., linux/amd64).

This issue is present in all versions from 25.0.2 onwards, and I have confirmed it is in versions as recent as 28.1.1 (latest as of the creation date of this issue)

Reproduce

✅ Cache Working (Docker 25.0.1)

  1. Start Docker 25.0.1-dind Container:
docker run --privileged --rm -it docker:25.0.1-dind
  1. Run in Docker 25.0.1-dind Container:
cd /tmp
echo "FROM --platform=linux/arm64 alpine" > Dockerfile
echo "RUN touch /tmp/foo" >> Dockerfile
DOCKER_BUILDKIT=0 docker build .
DOCKER_BUILDKIT=0 docker build .

✅ Second build uses cache as expected.

❌ Cache Broken (Docker 25.0.2)

  1. Start Docker 25.0.2-dind Container:
docker run --privileged --rm -it docker:25.0.2-dind
  1. Run in Docker 25.0.2-dind Container:
cd /tmp
echo "FROM --platform=linux/arm64 alpine" > Dockerfile
echo "RUN touch /tmp/foo" >> Dockerfile
DOCKER_BUILDKIT=0 docker build .
DOCKER_BUILDKIT=0 docker build .

❌ Second build does not use cache — layers are rebuilt.

Expected behavior

Classic builder should continue to cache layers correctly for cross-architecture builds as it did before the CVE patch, unless explicitly restricted by the user.

Example successful output (from 25.0.1) below:

/ # cd /tmp
/tmp # echo "FROM --platform=linux/arm64 alpine" > Dockerfile
/tmp # echo "RUN touch /tmp/foo" >> Dockerfile
/tmp # DOCKER_BUILDKIT=0 docker build .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
            environment-variable.

Sending build context to Docker daemon  2.048kB
Step 1/2 : FROM --platform=linux/arm64 alpine
latest: Pulling from library/alpine
6e771e15690e: Pull complete 
Digest: sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c
Status: Downloaded newer image for alpine:latest
 ---> 8d591b0b7dea
Step 2/2 : RUN touch /tmp/foo
 ---> [Warning] The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64/v3) and no specific platform was requested
 ---> Running in 04bfa51f8afd
 ---> Removed intermediate container 04bfa51f8afd
 ---> 0f3e3e7ed5d4
Successfully built 0f3e3e7ed5d4
/tmp # DOCKER_BUILDKIT=0 docker build .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
            environment-variable.

Sending build context to Docker daemon  2.048kB
Step 1/2 : FROM --platform=linux/arm64 alpine
 ---> 8d591b0b7dea
Step 2/2 : RUN touch /tmp/foo
 ---> Using cache
 ---> 0f3e3e7ed5d4
Successfully built 0f3e3e7ed5d4
/tmp # DOCKER_BUILDKIT=0 docker build .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
            environment-variable.

Sending build context to Docker daemon  2.048kB
Step 1/2 : FROM --platform=linux/arm64 alpine
 ---> 8d591b0b7dea
Step 2/2 : RUN touch /tmp/foo
 ---> Using cache
 ---> 0f3e3e7ed5d4
Successfully built 0f3e3e7ed5d4

docker version

Client:
 Version:           25.0.2
 API version:       1.44
 Go version:        go1.21.6
 Git commit:        29cf629
 Built:             Thu Feb  1 00:22:06 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          25.0.2
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.6
  Git commit:       fce6e0c
  Built:            Thu Feb  1 00:23:45 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.7.13
  GitCommit:        7c3aca7a610df76212171d200ca3811ff6096eb8
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    25.0.2
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1
    Path:     /usr/local/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.5
    Path:     /usr/local/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 25.0.2
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7c3aca7a610df76212171d200ca3811ff6096eb8
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
 Kernel Version: 5.15.167.4-microsoft-standard-WSL2
 Operating System: Alpine Linux v3.19 (containerized)
 OSType: linux
 Architecture: x86_64
 CPUs: 32
 Total Memory: 31.34GiB
 Name: 482a95a0bb41
 ID: eae3ab74-75b3-4312-96fa-7edeae59ff3b
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

Additional Info

Projects relying on DOCKER_BUILDKIT=0 for reproducible cross-arch builds (e.g., in CI environments or build-once strategies) now suffer from slower builds and unnecessary rebuilds.
@dcaputo-harmoni dcaputo-harmoni added status/0-triage kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. labels May 9, 2025
@thaJeztah thaJeztah added area/builder area/builder/classic-builder Issues affecting the classic builder labels May 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/builder/classic-builder Issues affecting the classic builder area/builder help wanted kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. status/0-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thaJeztah @vvoland @dcaputo-harmoni
0