Docker buildkit causes permission error with SELinux

Given the minimal Dockerfile which builds successfully:

FROM fedora:36
RUN ls

I would like to build it using buildkit, but when I run:

env DOCKER_BUILDKIT=1 docker build -t local/builkit-fail .

I get the following error:

[+] Building 0.4s (5/5) FINISHED                                                                                  
 => [internal] load build definition from Dockerfile                                                         0.0s
 => => transferring dockerfile: 92B                                                                          0.0s
 => [internal] load .dockerignore                                                                            0.0s
 => => transferring context: 2B                                                                              0.0s
 => [internal] load metadata for docker.io/library/fedora:36                                                 0.1s
 => CACHED [1/2] FROM docker.io/library/fedora:36@sha256:cbf627299e327f564233aac6b97030f9023ca41d3453c497be  0.0s
 => ERROR [2/2] RUN ls                                                                                       0.2s
------
 > [2/2] RUN ls:
#4 0.206 exec /bin/sh: permission denied
------
executor failed running [/bin/sh -c ls]: exit code: 1

However, the build succeeds if I temporarily disable SELinux using sudo setenforce 0

Why does using buildkit change the permissions of what the Docker process can run?

1 Like

This appears to be a known issue on moby/buildkit without any clear work-arounds other than “recompiling buildkit”.