I recently ran
docker build --pull on a multi-stage Dockerfile which referenced the same base image in two of the FROM directives, e.g.:
FROM ubuntu:latest AS first RUN printf 'compiling' >/compiled && sleep 900s # ^^ slow enough that a new ubuntu image could be published in this time FROM ubuntu:latest AS second COPY --from=first /compiled / RUN echo Potentially based on different versions of ubuntu image
docker build --pull I saw the following output:
Step 1/5 : FROM ubuntu:latest AS first latest: Pulling from library/ubuntu 297061f60c36: Pull complete e9ccef17b516: Pull complete dbc33716854d: Pull complete 8fe36b178d25: Pull complete 686596545a94: Pull complete Digest: sha256:1dfb94f13f5c181756b2ed7f174825029aca902c78d0490590b1aaa203abc052 Status: Downloaded newer image for ubuntu:latest ---> 0b1edfbffd27 ... Step 3/5 : FROM ubuntu:latest AS second latest: Pulling from library/ubuntu Digest: sha256:1dfb94f13f5c181756b2ed7f174825029aca902c78d0490590b1aaa203abc052 Status: Image is up to date for ubuntu:latest ---> 0b1edfbffd27
What is surprising here is that docker build is re-pulling the same image again mid-build. In this particular instance, the image at the registry did not change between steps but I have seen the ubuntu image specifically updated as often as weekly and all it takes is a CI-system build job to coincide with the time the new image is published and there will be inconsistent results.
Admittedly, in the case of this example with ubuntu, the impact of slightly different builds is likely to be minimal, if even noticeable, but other images could have a much bigger impact.
I had expected that docker build would up-front identify the list of unique image IDs referenced in all the FROM directives, pull all those, then begin the build process. I.e. in much the same way that the build context is prepared up-front before beginning the build process.
Should I raise this as a GitHub issue?