Docker Buildx Bake Secret Mounting Fails During Multi-Platform Context Build #3543
Description
Contributing guidelines
- I've read the contributing guidelines and wholeheartedly agree
I've found a bug and checked that ...
- ... the documentation does not mention anything about my problem
- ... there are no open or closed issues that are related to my problem
Description
When using docker buildx bake to build a multi-platform image (e.g., linux/amd64, linux/arm64) where one build target (Build A) uses another target (Build B) as a context, the secret defined and mounted in Build B fails for one of the target platforms. This failure only occurs during simultaneous multi-platform builds. The single-platform build works correctly for all targeted architectures.
Steps to Reproduce
Define a multi-platform build using docker buildx bake (e.g., in a docker-bake.json file).
On one of the target, add a "contexts" key that references the other target.
In the referenced target, add a "secret" key, and mount that secret in the Dockerfile.
Execute the build:
docker buildx bake -f docker-bake.json
Expected behaviour
Both linux/amd64 and linux/arm64 builds for Build "B" should successfully mount and access the secret, and consequently, Build "A" should complete successfully for both platforms.
Actual behaviour
The build fails:
=> ERROR [fe-builder linux/arm64 fe-builder 3/3] RUN --mount=type=secret,id=npmrc,target=/root/.npmrc cat /root/.npmrc 0.3s
=> CANCELED [static linux/amd64 fe_builder_stage 1/3] WORKDIR /app/build/dist 0.0s
------
> [fe-builder linux/arm64 fe-builder 3/3] RUN --mount=type=secret,id=npmrc,target=/root/.npmrc cat /root/.npmrc:
0.204 cat: can't open '/root/.npmrc': No such file or directory
------
Dockerfile:5
--------------------
3 | WORKDIR /src
4 |
5 | >>> RUN --mount=type=secret,id=npmrc,target=/root/.npmrc cat /root/.npmrc
6 |
--------------------
ERROR: target static: failed to solve: process "/bin/sh -c cat /root/.npmrc" did not complete successfully: exit code: 1
However if I execute the build for a single platform, the build succeeds (no matter which platform):
docker buildx bake -f bake.txt --no-cache --set "*.platform=linux/amd64"
Buildx version
github.com/docker/buildx v0.30.0 124418c
Docker info
Client: Docker Engine - Community
Version: 29.0.4
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.30.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.40.3
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 24
Server Version: 29.0.4
Storage Driver: overlayfs
driver-type: io.containerd.snapshotter.v1
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: fcd43222d6b07379a4be9786bda52438f0dd16a1
runc version: v1.3.3-0-gd842d771
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.14.0-1017-aws
Operating System: Ubuntu 24.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.25GiB
Name: ip-172-31-65-156
ID: 13575828-7bd5-4daf-91b7-56df4cca811a
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Registry Mirrors:
https://dh-cache.4gclinical.com/
Live Restore Enabled: false
Firewall Backend: iptables
Builders list
NAME/NODE DRIVER/ENDPOINT STATUS BUILDKIT PLATFORMS
default* docker
\_ default \_ default running v0.25.2 linux/amd64 (+4), linux/arm64, linux/arm (+2), linux/ppc64le, (6 more)
Configuration
Dockerfile:
FROM node:22-alpine AS fe-builder
WORKDIR /src
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc cat /root/.npmrc
Dockerfile.static:
FROM fe-builder-image AS fe_builder_stage
WORKDIR /app/build/dist
RUN touch foo
FROM nginx:1.27-alpine
WORKDIR /app
# Copy frontend static files from previous stage
COPY --from=fe_builder_stage /app/build/dist/ /app/dist/
CMD ["nginx", "-g", "daemon off;"]
docker-bake.json:
{
"group": {
"default": {
"targets": [
"fe-builder",
"static"
]
}
},
"target": {
"fe-builder": {
"context": ".",
"dockerfile": "./Dockerfile",
"secret": [
{
"id": "npmrc",
"src": "./npmrc.context"
}
],
"platforms": [
"linux/amd64",
"linux/arm64"
]
},
"static": {
"context": ".",
"contexts": {
"fe-builder-image": "target:fe-builder"
},
"dockerfile": "./Dockerfile.static",
"platforms": [
"linux/amd64",
"linux/arm64"
]
}
}
}
Command:
docker buildx bake -f docker-bake.jsonBuild logs
#0 building with "default" instance using docker driver
#1 [internal] load local bake definitions
#1 reading bake.txt 651B / 651B done
#1 DONE 0.0s
#2 [fe-builder internal] load build definition from Dockerfile
#2 transferring dockerfile: 206B done
#2 DONE 0.0s
#3 [fe-builder linux/amd64 internal] load metadata for 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.node:22-alpine
#3 DONE 0.0s
#4 [fe-builder linux/arm64 internal] load metadata for 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.node:22-alpine
#4 DONE 0.0s
#5 [fe-builder internal] load .dockerignore
#5 transferring context: 2B done
#5 DONE 0.0s
#6 [static internal] load build definition from Dockerfile.static
#6 transferring dockerfile: 533B done
#6 DONE 0.0s
#7 [static linux/arm64 internal] load metadata for 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.dev.nginx:1.27-alpine
#7 DONE 0.0s
#8 [static linux/amd64 internal] load metadata for 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.dev.nginx:1.27-alpine
#8 DONE 0.0s
#9 [static internal] load .dockerignore
#9 transferring context: 310B done
#9 DONE 0.0s
#10 [static linux/amd64 fe-builder 1/3] FROM 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.node:22-alpine@sha256:ab24e34a81dd2c4744f4ed933d61a930bfd72e9f92971e1c0ef16c558ff8dcdc
#10 resolve 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.node:22-alpine@sha256:ab24e34a81dd2c4744f4ed933d61a930bfd72e9f92971e1c0ef16c558ff8dcdc 0.0s done
#10 resolve 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.node:22-alpine@sha256:ab24e34a81dd2c4744f4ed933d61a930bfd72e9f92971e1c0ef16c558ff8dcdc 0.0s done
#10 DONE 0.1s
#11 [static linux/arm64 fe-builder 1/3] FROM 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.node:22-alpine@sha256:ab24e34a81dd2c4744f4ed933d61a930bfd72e9f92971e1c0ef16c558ff8dcdc
#11 resolve 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.node:22-alpine@sha256:ab24e34a81dd2c4744f4ed933d61a930bfd72e9f92971e1c0ef16c558ff8dcdc 0.0s done
#11 DONE 0.1s
#12 [static linux/arm64 stage-1 1/3] FROM 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.dev.nginx:1.27-alpine@sha256:3289667d2aa29a5a4061d944c5ec280eb876026756f42c4f4f970168b44fa8b2
#12 resolve 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.dev.nginx:1.27-alpine@sha256:3289667d2aa29a5a4061d944c5ec280eb876026756f42c4f4f970168b44fa8b2 0.0s done
#12 DONE 0.1s
#13 [static linux/arm64 fe-builder 2/3] WORKDIR /src
#13 CACHED
#14 [static linux/arm64 stage-1 2/3] WORKDIR /app
#14 CACHED
#15 [static linux/amd64 stage-1 1/3] FROM 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.dev.nginx:1.27-alpine@sha256:3289667d2aa29a5a4061d944c5ec280eb876026756f42c4f4f970168b44fa8b2
#15 resolve 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.dev.nginx:1.27-alpine@sha256:3289667d2aa29a5a4061d944c5ec280eb876026756f42c4f4f970168b44fa8b2 0.0s done
#15 DONE 0.1s
#16 [static linux/amd64 stage-1 2/3] WORKDIR /app
#16 CACHED
#17 [fe-builder linux/amd64 fe-builder 2/3] WORKDIR /src
#17 CACHED
#18 [static linux/amd64 fe-builder 3/3] RUN --mount=type=secret,id=npmrc,target=/root/.npmrc cat /root/.npmrc
#18 0.155 foo
#18 DONE 0.2s
#11 [fe-builder linux/arm64 fe-builder 1/3] FROM 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.node:22-alpine@sha256:ab24e34a81dd2c4744f4ed933d61a930bfd72e9f92971e1c0ef16c558ff8dcdc
#11 resolve 798191538308.dkr.ecr.us-east-1.amazonaws.com/4g.node:22-alpine@sha256:ab24e34a81dd2c4744f4ed933d61a930bfd72e9f92971e1c0ef16c558ff8dcdc 0.0s done
#11 DONE 0.1s
#13 [fe-builder linux/arm64 fe-builder 2/3] WORKDIR /src
#13 CACHED
#19 [static linux/amd64 fe_builder_stage 1/3] WORKDIR /app/build/dist
#19 DONE 0.0s
#20 [fe-builder linux/arm64 fe-builder 3/3] RUN --mount=type=secret,id=npmrc,target=/root/.npmrc cat /root/.npmrc
#20 0.247 cat: can't open '/root/.npmrc': No such file or directory
#20 ERROR: process "/bin/sh -c cat /root/.npmrc" did not complete successfully: exit code: 1
------
> [fe-builder linux/arm64 fe-builder 3/3] RUN --mount=type=secret,id=npmrc,target=/root/.npmrc cat /root/.npmrc:
0.247 cat: can't open '/root/.npmrc': No such file or directory
------
Dockerfile:5
--------------------
3 | WORKDIR /src
4 |
5 | >>> RUN --mount=type=secret,id=npmrc,target=/root/.npmrc cat /root/.npmrc
6 |
--------------------
ERROR: target static: failed to solve: process "/bin/sh -c cat /root/.npmrc" did not complete successfully: exit code: 1
Additional info
No response