build from stdin leaves behind temp-files

[thaJeztah]

Contributing guidelines

• I've read the contributing guidelines and wholeheartedly agree

I've found a bug and checked that ...

• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

Noticed this when testing a pull request, and looking at docker diff for the container in which I ran a docker build;

docker run -it --rm --name dockercontainer -v /var/run/docker.sock:/var/run/docker.sock docker:cli

echo -e 'FROM alpine\nRUN echo hello\n' | docker build -t foo -
# ...
echo -e 'FROM alpine\nRUN echo hello\n' | docker build -t foo -
# ...

Check the temp directory inside the container;

/ # ls -lR /tmp
/tmp:
total 24
drwx------    2 root     root          4096 Apr 15 20:25 dockerfile172585709
drwx------    2 root     root          4096 Apr 15 20:24 dockerfile1964065413
drwx------    2 root     root          4096 Apr 15 20:25 dockerfile4067550684
drwx------    2 root     root          4096 Apr 15 20:25 empty-dir3096975124
drwx------    2 root     root          4096 Apr 15 20:24 empty-dir4076683267
drwx------    2 root     root          4096 Apr 15 20:25 empty-dir4193758908

/tmp/dockerfile172585709:
total 4
-rw-r--r--    1 root     root            28 Apr 15 20:25 Dockerfile

/tmp/dockerfile1964065413:
total 4
-rw-r--r--    1 root     root            28 Apr 15 20:24 Dockerfile

/tmp/dockerfile4067550684:
total 4
-rw-r--r--    1 root     root            28 Apr 15 20:25 Dockerfile

/tmp/empty-dir3096975124:
total 0

/tmp/empty-dir4076683267:
total 0

/tmp/empty-dir4193758908:
total 0

Expected behaviour

Ideally, for buildx to cleanup the temporary files after the build completes

Actual behaviour

Temp-files are left behind for each build.

Buildx version

docker buildx version github.com/docker/buildx v0.22.0 18ccba0

Docker info

Client:
 Version:    28.0.4
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.22.0
    Path:     /usr/local/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.35.0
    Path:     /usr/local/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 5
  Running: 3
  Paused: 0
  Stopped: 2
 Images: 11
 Server Version: 28.1.0-rc.1
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: active
  NodeID: qyeriqk20al6hy4y869d08ff5
  Is Manager: true
  ClusterID: b7ebdxm5mmtstysnvf2u2ncln
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 192.168.65.3
  Manager Addresses:
   192.168.65.3:2377
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
 runc version: v1.2.5-0-g59923ef
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.10.14-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 10
 Total Memory: 7.654GiB
 Name: docker-desktop
 ID: 58815d06-8744-4af3-b6f1-7a88003318ad
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 123
  Goroutines: 285
  System Time: 2025-04-15T20:28:41.217228135Z
  EventsListeners: 19
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/thajeztah/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  host.docker.internal:5001
  host.docker.internal:5002
  hubproxy.docker.internal:5555
  ::1/128
  127.0.0.0/8
 Registry Mirrors:
  http://host.docker.internal:5001/
 Live Restore Enabled: false

Builders list

docker buildx ls
NAME/NODE     DRIVER/ENDPOINT   STATUS    BUILDKIT      PLATFORMS
default*      docker
 \_ default    \_ default       running   v0.21.0-rc1   linux/amd64 (+2), linux/arm64, linux/ppc64le, linux/s390x, (2 more)

Configuration

See above

Build logs

Additional info

No response

[fenollp]

Ideally, for buildx to cleanup the temporary files after the build completes

Ideally, no empty tempdir nor temporary Dockerfile is created (pretty please)

[thaJeztah]

Ideally, for buildx to cleanup the temporary files after the build completes

Ideally, no empty tempdir nor temporary Dockerfile is created (pretty please)

Ah, sure, agreed! Not sure if there's technical limitations to do so, but if there aren't, then 💯

🤔 After I opened this ticket, I realised I didn't check if this reproduces when invoking buildx directly. My steps where when running buildx as a cli plugin, and I didn't check if it's possibly related to some of the code there (which ISTR needed to create temp-files for the classic (non-buildkit) builder.

Let me check that as well!

[thaJeztah]

🤔 After I opened this ticket, I realised I didn't check if this reproduces when invoking buildx directly.

I recalled I didn't try this yet; I just tried reproducing with buildx directly, so invoking docker-buildx standalone, not as CLI plugin, but looks like the results are the same;

docker run -it --rm --name dockercontainer -v /var/run/docker.sock:/var/run/docker.sock docker:cli

docker buildx version
github.com/docker/buildx v0.23.0 28c90eadc4c12cc78155ad59ca5f486220241d2a

echo -e 'FROM alpine\nRUN echo hello\n' | /usr/local/libexec/docker/cli-plugins/docker-buildx build -t foo --load -
# ...
echo -e 'FROM alpine\nRUN echo hello\n' | /usr/local/libexec/docker/cli-plugins/docker-buildx build -t foo --load -
# ...

/ # ls -lR /tmp
/tmp:
total 16
drwx------    2 root     root          4096 Apr 19 12:47 dockerfile3833159354
drwx------    2 root     root          4096 Apr 19 12:47 dockerfile3987088253
drwx------    2 root     root          4096 Apr 19 12:47 empty-dir268969896
drwx------    2 root     root          4096 Apr 19 12:47 empty-dir3246528327

/tmp/dockerfile3833159354:
total 4
-rw-r--r--    1 root     root            28 Apr 19 12:47 Dockerfile

/tmp/dockerfile3987088253:
total 4
-rw-r--r--    1 root     root            28 Apr 19 12:47 Dockerfile

/tmp/empty-dir268969896:
total 0

/tmp/empty-dir3246528327:
total 0

[thaJeztah]

Oh! I missed that Tonis opened a PR to fix it (thanks!);

• build: make sure defers always run in the end of the build #3133