Description
Description
Since the fix for CVE-2024-24557, layer caching no longer works when building container images for a different architecture than the host (i.e. cross-architecture builds) using the classic builder (DOCKER_BUILDKIT=0).
This regression only affects the classic builder, and can be easily reproduced by comparing Docker versions 25.0.1 (before the fix) and 25.0.2 (after the fix) when building images for a non-native architecture (e.g., --platform=linux/arm64 on an amd64 host).
Note: These examples assume the host architecture is not ARM64. If running on an ARM64 host, replace
--platform=linux/arm64with a different architecture (e.g.,linux/amd64).
This issue is present in all versions from 25.0.2 onwards, and I have confirmed it is in versions as recent as 28.1.1 (latest as of the creation date of this issue)
Reproduce
✅ Cache Working (Docker 25.0.1)
- Start Docker 25.0.1-dind Container:
docker run --privileged --rm -it docker:25.0.1-dind
- Run in Docker 25.0.1-dind Container:
cd /tmp
echo "FROM --platform=linux/arm64 alpine" > Dockerfile
echo "RUN touch /tmp/foo" >> Dockerfile
DOCKER_BUILDKIT=0 docker build .
DOCKER_BUILDKIT=0 docker build .
✅ Second build uses cache as expected.
❌ Cache Broken (Docker 25.0.2)
- Start Docker 25.0.2-dind Container:
docker run --privileged --rm -it docker:25.0.2-dind
- Run in Docker 25.0.2-dind Container:
cd /tmp
echo "FROM --platform=linux/arm64 alpine" > Dockerfile
echo "RUN touch /tmp/foo" >> Dockerfile
DOCKER_BUILDKIT=0 docker build .
DOCKER_BUILDKIT=0 docker build .
❌ Second build does not use cache — layers are rebuilt.
Expected behavior
Classic builder should continue to cache layers correctly for cross-architecture builds as it did before the CVE patch, unless explicitly restricted by the user.
Example successful output (from 25.0.1) below:
/ # cd /tmp
/tmp # echo "FROM --platform=linux/arm64 alpine" > Dockerfile
/tmp # echo "RUN touch /tmp/foo" >> Dockerfile
/tmp # DOCKER_BUILDKIT=0 docker build .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
environment-variable.
Sending build context to Docker daemon 2.048kB
Step 1/2 : FROM --platform=linux/arm64 alpine
latest: Pulling from library/alpine
6e771e15690e: Pull complete
Digest: sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c
Status: Downloaded newer image for alpine:latest
---> 8d591b0b7dea
Step 2/2 : RUN touch /tmp/foo
---> [Warning] The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64/v3) and no specific platform was requested
---> Running in 04bfa51f8afd
---> Removed intermediate container 04bfa51f8afd
---> 0f3e3e7ed5d4
Successfully built 0f3e3e7ed5d4
/tmp # DOCKER_BUILDKIT=0 docker build .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
environment-variable.
Sending build context to Docker daemon 2.048kB
Step 1/2 : FROM --platform=linux/arm64 alpine
---> 8d591b0b7dea
Step 2/2 : RUN touch /tmp/foo
---> Using cache
---> 0f3e3e7ed5d4
Successfully built 0f3e3e7ed5d4
/tmp # DOCKER_BUILDKIT=0 docker build .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
environment-variable.
Sending build context to Docker daemon 2.048kB
Step 1/2 : FROM --platform=linux/arm64 alpine
---> 8d591b0b7dea
Step 2/2 : RUN touch /tmp/foo
---> Using cache
---> 0f3e3e7ed5d4
Successfully built 0f3e3e7ed5d4
docker version
Client:
Version: 25.0.2
API version: 1.44
Go version: go1.21.6
Git commit: 29cf629
Built: Thu Feb 1 00:22:06 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 25.0.2
API version: 1.44 (minimum version 1.24)
Go version: go1.21.6
Git commit: fce6e0c
Built: Thu Feb 1 00:23:45 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.7.13
GitCommit: 7c3aca7a610df76212171d200ca3811ff6096eb8
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0docker info
Client:
Version: 25.0.2
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.12.1
Path: /usr/local/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.24.5
Path: /usr/local/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 25.0.2
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7c3aca7a610df76212171d200ca3811ff6096eb8
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
seccomp
Profile: builtin
Kernel Version: 5.15.167.4-microsoft-standard-WSL2
Operating System: Alpine Linux v3.19 (containerized)
OSType: linux
Architecture: x86_64
CPUs: 32
Total Memory: 31.34GiB
Name: 482a95a0bb41
ID: eae3ab74-75b3-4312-96fa-7edeae59ff3b
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community EngineAdditional Info
Projects relying on DOCKER_BUILDKIT=0 for reproducible cross-arch builds (e.g., in CI environments or build-once strategies) now suffer from slower builds and unnecessary rebuilds.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status