Description
I encountered an issue when building a Docker image using the Python Docker SDK. The behavior occurs only with a specific base image so far: gradle:7.6-jdk17-alpine.
In my Dockerfile, I include the following command in a RUN instruction to find and remove files with SUID/SGID permissions:
- RUN find / -type d -name proc -prune -o -perm /u=s,g=s -exec chmod -s ‘{}’ ;
This step executes successfully during the build (as confirmed in the build logs), but the permission changes do not persist in the resulting image when using the Docker SDK.
However, when I build the exact same Dockerfile using the Docker CLI (docker build), the permission changes are correctly applied and persist in the final image.
This discrepancy suggests that the Docker SDK’s APIClient().build() method may not properly track or commit permission-only changes to the layer (e.g., chmod -s). The issue might be related to Docker’s layer diffing or snapshot mechanism, especially for metadata-only changes (like permissions, ownership, or timestamps).
I’ve verified that:
- The DOCKER_BUILDKIT=1 environment variable is set before using the SDK.
- The issue is not present in other images I’ve tested — only with gradle:7.6-jdk17-alpine.
Please confirm if this is a known limitation of the Docker SDK build process, or if there’s a workaround to ensure such changes persist in the final image when built via the SDK.
Thanks in advance!