Skip to content

Bind mounts during build ignore dockerignore content #6450

New issue
New issue
Open
Open
Bind mounts during build ignore dockerignore content#6450
Labels
kind/bugCategorizes issue or PR as related to a bug.stale-issue
@TheFox0x7

Description

@TheFox0x7
TheFox0x7
opened on Oct 25, 2025

Issue Description

During my attempts at optimizing container builds I moved some of the copy directives to RUN --mount=type=bind.... Despite having node_modules in .dockerignore, the run step did include the directory in the mount, same with mounting .git as buildah allowed me to mount it in the build when it was in the ignore file, but the docker build in CI failed on this step.

Steps to reproduce the issue

Steps to reproduce the issue

  1. Setup the example:
  • Dockerfile:
FROM docker.io/library/alpine:3.22

RUN --mount=type=bind,target=/data ls /data
  • file named test with any contents
  • .dockerignore:
test
  1. Run podman build . -f Dockerfile --no-cache against the setup
  2. Run DOCKER_HOST=unix:///run/user/1000/podman/podman.sock docker buildx build . -f Dockerfile --progress plain --no-cache against the setup
  3. Compare outputs

Alternatively

  1. Same setup as before just with following Dockerfile instead:
FROM alpine:3.22

RUN --mount=type=bind,target=/data/test,source=./test ls /data
  1. Run podman build . -f Dockerfile --no-cache against the setup
  2. Run DOCKER_HOST=unix:///run/user/1000/podman/podman.sock docker buildx build . -f Dockerfile --progress plain --no-cache against the setup
  3. Compare outputs

Describe the results you received

Run stage ran by podman listed two files:

STEP 2/2: RUN --mount=type=bind,target=/data ls /data
Dockerfile
test

Alternative scenario produced container and listed test during build.

Describe the results you expected

I expected output matching docker's version which skips files marked by .dockerignore:

#6 [stage-0 2/2] RUN --mount=type=bind,target=/data ls /data
#6 0.100 Dockerfile
#6 DONE 0.2s

Or in case of the alternative scenario I'd expect build failure like here:

Dockerfile:3
--------------------
   1 |     FROM alpine:3.22
   2 |     
   3 | >>> RUN --mount=type=bind,target=/data/test,source=./test ls /data
   4 |     
   5 |     
--------------------
ERROR: failed to build: failed to solve: failed to compute cache key: failed to calculate checksum of ref lsojdg02utvgs3gizmy7ykmo9::li6sn404e9cag4lkk255e0z7i: "/test": not found

podman version output

Client:       Podman Engine
Version:      5.6.2
API Version:  5.6.2
Go Version:   go1.25.1 X:nodwarf5
Git Commit:   9dd5e1ed33830612bc200d7a13db00af6ab865a4
Built:        Thu Oct  2 11:47:03 2025
OS/Arch:      linux/amd64

podman info output

host:
  arch: amd64
  buildahVersion: 1.41.5
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-1:2.1.13-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.13, commit: 82de887596ed8ee6d9b2ee85e4f167f307bb569b'
  cpuUtilization:
    idlePercent: 85.82
    systemPercent: 3.15
    userPercent: 11.03
  cpus: 8
  databaseBackend: boltdb
  distribution:
    distribution: arch
    version: unknown
  emulatedArchitectures:
  - linux/arm
  - linux/arm64
  - linux/arm64be
  - linux/loong64
  - linux/mips
  - linux/mips64
  - linux/ppc
  - linux/ppc64
  - linux/ppc64le
  - linux/riscv32
  - linux/riscv64
  - linux/s390x
  eventLogger: journald
  freeLocks: 2032
  hostname: {hostname}
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.17.3-arch2-1
  linkmode: dynamic
  logDriver: journald
  memFree: 18223235072
  memTotal: 33400619008
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.16.0-1
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.16.0
    package: netavark-1.16.1-1
    path: /usr/lib/podman/netavark
    version: netavark 1.16.1
  ociRuntime:
    name: crun
    package: crun-1.24-1
    path: /usr/bin/crun
    version: |-
      crun version 1.24
      commit: 54693209039e5e04cbe3c8b1cd5fe2301219f0a1
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-2025_09_19.623dbf6-1
    version: |
      pasta 2025_09_19.623dbf6
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.3.3-1
    version: |-
      slirp4netns version 1.3.3
      commit: 944fa94090e1fd1312232cbc0e6b43585553d824
      libslirp: 4.9.1
      SLIRP_CONFIG_VERSION_MAX: 6
      libseccomp: 2.5.6
  swapFree: 0
  swapTotal: 0
  uptime: 2h 29m 14.00s (Approximately 0.08 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  localhost:3000:
    Blocked: false
    Insecure: true
    Location: localhost:3000
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: localhost:3000
    PullFromMirror: ""
store:
  configFile: /home/{user}/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 1
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/{user}/.local/share/containers/storage
  graphRootAllocated: 999650168832
  graphRootUsed: 430608322560
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 337
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/{user}/.local/share/containers/storage/volumes
version:
  APIVersion: 5.6.2
  Built: 1759398423
  BuiltTime: Thu Oct  2 11:47:03 2025
  GitCommit: 9dd5e1ed33830612bc200d7a13db00af6ab865a4
  GoVersion: go1.25.1 X:nodwarf5
  Os: linux
  OsArch: linux/amd64
  Version: 5.6.2

Provide your storage.conf

#Note - this is the global one from /etc/containers/storage.conf, I don't have the user one set.
[storage]

driver = "overlay"

runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
additionalimagestores = [
"/home/{user}/.local/share/containers/storage"
]

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Installation Source

Distribution package (DNF, apt, yay)

Additional environment details

No response

Additional information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.stale-issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions