Cache for RUN is not invalidated when using --mount=type=bind,from=stage #6609
Description
Issue Description
When using a bind mount on a RUN command with from set to a previous build stage, the layer cache isn't invalidated resulting in out of date files being used.
Although it would seem that this should have been fixed by #5691, if the from parameter is set to a stage rather than an image reference the checksum does not get appended. The impression I get is that https://github.com/containers/buildah/blob/main/imagebuildah/stage_executor.go#L1978 needs an else block.
Steps to reproduce the issue
Attached example contains a Containerfile which pulls a file into a context stage, and then a second stage which copies the file into the final image. The example.sh script runs this build twice and if the layer cache applies the image will be unchanged despite it changing the contents of the testfile between runs.
I've included a Containerfile.alt and example-alt.sh which builds the context image separately so that the final stage can reference the tagged image. This demonstrates that the append checksum logic works fine is not bugged in that case.
Note For some reason the layer cache doesn't kick in the first time the script is run (including after a podman system prune), but subsequent runs of the script exhibit the issue so be sure to run example.sh two or more times.
Describe the results you received
The cache is erroneously used even though the context stage has changed.
[1/2] STEP 1/2: FROM scratch AS context
[1/2] STEP 2/2: COPY testfile /
--> Using cache 95215d30ba82cb7bf55ef5ec41c795313284527a8cd81804d624747f6bbbc2b0
--> 95215d30ba82
[2/2] STEP 1/2: FROM alpine:3.23.2
[2/2] STEP 2/2: RUN --mount=type=bind,src=/,destination=/mnt,from=context cp /mnt/testfile /
--> Using cache b324b23cb0945840e9d374c758722647afb9829892b359e25eaa9f63162c1aa3
[2/2] COMMIT bug-example
--> b324b23cb094
Successfully tagged localhost/bug-example:latest
b324b23cb0945840e9d374c758722647afb9829892b359e25eaa9f63162c1aa3
-------- testfile modified --------
[1/2] STEP 1/2: FROM scratch AS context
[1/2] STEP 2/2: COPY testfile /
--> Using cache 125e0abbf26a2a799a335dac0266559593a5681061e8528cb8cc1c10dbddea4a
--> 125e0abbf26a
[2/2] STEP 1/2: FROM alpine:3.23.2
[2/2] STEP 2/2: RUN --mount=type=bind,src=/,destination=/mnt,from=context cp /mnt/testfile /
--> Using cache b324b23cb0945840e9d374c758722647afb9829892b359e25eaa9f63162c1aa3
[2/2] COMMIT bug-example
--> b324b23cb094
Successfully tagged localhost/bug-example:latest
b324b23cb0945840e9d374c758722647afb9829892b359e25eaa9f63162c1aa3
Bug: Image was unchanged
If the image is inspected we see that the additional checksum value is missing:
"History": [
{
"created": "2025-12-18T00:12:29.242464453Z",
"created_by": "ADD alpine-minirootfs-3.23.2-x86_64.tar.gz / # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2025-12-18T00:12:29.242464453Z",
"created_by": "CMD [\"/bin/sh\"]",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
},
{
"created": "2025-12-20T23:40:20.723270656Z",
"created_by": "/bin/sh -c --mount=type=bind,src=/,destination=/mnt,from=context cp /mnt/testfile /",
"comment": "FROM docker.io/library/alpine:3.23.2"
}
],
Describe the results you expected
I would expect that a checksum is appended to the created_by field similar to what happens when an image reference is used:
"History": [
{
"created": "2025-12-18T00:12:29.242464453Z",
"created_by": "ADD alpine-minirootfs-3.23.2-x86_64.tar.gz / # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2025-12-18T00:12:29.242464453Z",
"created_by": "CMD [\"/bin/sh\"]",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
},
{
"created": "2025-12-21T00:17:23.112063461Z",
"created_by": "/bin/sh -c --mount=type=bind,src=/,destination=/mnt,from=localhost/bug-context cp /mnt/testfile /:sha256:a12b60e4b4a88348ab42baed5433a256c8fc83a08bb9a26ad9a9ad97990d7d9b",
"comment": "FROM docker.io/library/alpine:3.23.2"
}
],
buildah version output
buildah version 1.43.0-dev (image-spec 1.1.1, runtime-spec 1.3.0)buildah info output
{
"host": {
"Distribution": {
"distribution": "ubuntu",
"version": "25.10"
},
"MemFree": 2670583808,
"MemTotal": 67050049536,
"OCIRuntime": "crun",
"SwapFree": 0,
"SwapTotal": 0,
"arch": "amd64",
"cpus": 16,
"hostname": "AMD-9800X3D",
"kernel": "6.17.0-7-generic",
"os": "linux",
"rootless": false,
"uptime": "432h 29m 31.53s (Approximately 18.00 days)",
"variant": ""
},
"store": {
"ContainerStore": {
"number": 0
},
"GraphDriverName": "overlay",
"GraphImageStore": "",
"GraphOptions": [
"overlay.mountopt=nodev"
],
"GraphRoot": "/var/lib/containers/storage",
"GraphStatus": {
"Backing Filesystem": "extfs",
"Native Overlay Diff": "true",
"Supports d_type": "true",
"Supports shifting": "true",
"Supports volatile": "true",
"Using metacopy": "false"
},
"GraphTransientStore": false,
"ImageStore": {
"number": 11
},
"RunRoot": "/run/containers/storage"
}
}Provide your storage.conf
# This file is the configuration file for all tools
# that use the containers/storage library. The storage.conf file
# overrides all other storage.conf files. Container engines using the
# container/storage library do not inherit fields from other storage.conf
# files.
#
# Note: The storage.conf file overrides other storage.conf files based on this precedence:
# /usr/containers/storage.conf
# /etc/containers/storage.conf
# $HOME/.config/containers/storage.conf
# $XDG_CONFIG_HOME/containers/storage.conf (if XDG_CONFIG_HOME is set)
# See man 5 containers-storage.conf for more information
# The "storage" table contains all of the server options.
[storage]
# Default storage driver, must be set for proper operation.
driver = "overlay"
# Temporary storage location
runroot = "/run/containers/storage"
# Priority list for the storage drivers that will be tested one
# after the other to pick the storage driver if it is not defined.
# driver_priority = ["overlay", "btrfs"]
# Primary Read/Write location of container storage
# When changing the graphroot location on an SELinux system, you must
# ensure the labeling matches the default location's labels with the
# following commands:
# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
# restorecon -R -v /NEWSTORAGEPATH
graphroot = "/var/lib/containers/storage"
# Optional alternate location of image store if a location separate from the
# container store is required. If set, it must be different than graphroot.
# imagestore = ""
# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"
# Transient store mode makes all container metadata be saved in temporary storage
# (i.e. runroot above). This is faster, but doesn't persist across reboots.
# Additional garbage collection must also be performed at boot-time, so this
# option should remain disabled in most configurations.
# transient_store = true
[storage.options]
# Storage options to be passed to underlying storage drivers
# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
]
# Options controlling how storage is populated when pulling images.
[storage.options.pull_options]
# Enable the "zstd:chunked" feature, which allows partial pulls, reusing
# content that already exists on the system. This is disabled by default,
# and must be explicitly enabled to be used. For more on zstd:chunked, see
# https://github.com/containers/storage/blob/main/docs/containers-storage-zstd-chunked.md
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# enable_partial_images = "false"
# Tells containers/storage to use hard links rather then create new files in
# the image, if an identical file already existed in storage.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# use_hard_links = "false"
# Path to an ostree repository that might have
# previously pulled content which can be used when attempting to avoid
# pulling content from the container registry.
# ostree_repos=""
# If set to "true", containers/storage will convert images that are
# not already in zstd:chunked format to that format before processing
# in order to take advantage of local deduplication and hard linking.
# It is an expensive operation so it is not enabled by default.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# convert_images = "false"
# This should ALMOST NEVER be set.
# It allows partial pulls of images without guaranteeing that "partial
# pulls" and non-partial pulls both result in consistent image contents.
# This allows pulling estargz images and early versions of zstd:chunked images;
# otherwise, these layers always use the traditional non-partial pull path.
#
# This option should be enabled EXTREMELY rarely, only if ALL images that could
# EVER be conceivably pulled on this system are GUARANTEED (e.g. using a signature policy)
# to come from a build system trusted to never attack image integrity.
#
# If this consistency enforcement were disabled, malicious images could be built
# in a way designed to evade other audit mechanisms, so presence of most other audit
# mechanisms is not a replacement for the above-mentioned need for all images to come
# from a trusted build system.
#
# As a side effect, enabling this option will also make image IDs unpredictable
# (usually not equal to the traditional value matching the config digest).
# insecure_allow_unpredictable_image_contents = "false"
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned
# to containers configured to create automatically a user namespace. Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the maximum size for a user namespace created automatically.
# auto-userns-max-size=65536
[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids. Note multiple UIDs will be
# squashed down to the default uid in the container. These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
#ignore_chown_errors = "false"
# Inodes is used to set a maximum inodes of the container image.
# inodes = ""
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#mount_program = "/usr/bin/fuse-overlayfs"
# mountopt specifies comma separated list of extra mount options
mountopt = "nodev"
# Set to skip a PRIVATE bind mount on the storage home directory.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# skip_mount_home = "false"
# Set to use composefs to mount data layers with overlay.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# use_composefs = "false"
# Size is used to set a maximum size of the container image.
# size = ""
# ForceMask specifies the permissions mask that is used for new files and
# directories.
#
# The values "shared" and "private" are accepted.
# Octal permission masks are also accepted.
#
# "": No value specified.
# All files/directories, get set with the permissions identified within the
# image.
# "private": it is equivalent to 0700.
# All files/directories get set with 0700 permissions. The owner has rwx
# access to the files. No other users on the system can access the files.
# This setting could be used with networked based homedirs.
# "shared": it is equivalent to 0755.
# The owner has rwx access to the files and everyone else can read, access
# and execute them. This setting is useful for sharing containers storage
# with other users. For instance have a storage owned by root but shared
# to rootless users as an additional store.
# NOTE: All files within the image are made readable and executable by any
# user on the system. Even /etc/shadow within your image is now readable by
# any user.
#
# OCTAL: Users can experiment with other OCTAL Permissions.
#
# Note: The force_mask Flag is an experimental feature, it could change in the
# future. When "force_mask" is set the original permission mask is stored in
# the "user.containers.override_stat" xattr and the "mount_program" option must
# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
# extended attribute permissions to processes within containers rather than the
# "force_mask" permissions.
#
# force_mask = ""Upstream Latest Release
Yes
Additional environment details
No response
Additional information
No response