File based build secrets not accessible when using .dockerignore that excludes everything and adds exceptions

[gdiepen]

Issue Description

Our project template uses a .dockerignore that starts with * to ignore ALL files. We then add specific lines prefixed with ! to create exceptions. This way, we do not have issues with too large contexts being send to the engine.

However, this appears to break the type=file build-secrets:

$ podman build --secret=id=MY_SECRET,type=file,src=${SECRETS_FILE} --no-cache -t foo .

Error: failed to parse query parameter 'secrets': "[\"id=MY_SECRET,type=file,src=podman-build-secret1918992619\"]": rename /var/tmp/libpod_builder3673920082/build/podman-build-secret1918992619 /var/tmp/libpod_builder3673920082/podman-build-secret1918992619: no such file or directory

Adding a line !*podman-build-secret* to the .dockerignore seems to be a workaround, but preferably would not want to create exceptions for these names

The problem seems to occur both on mac and windows with type=file based build-secrets. However, more important on mac because on windows the actual docker image build with a file-based secret always results in a different error.

Steps to reproduce the issue

Steps to reproduce the issue

1. Create a new empty folder
2. Inside empty folder, create a file .dockerignore with the following contents:

*

3. Create a new file Dockerfile with the following contents:

FROM alpine

RUN --mount=type=secret,id=MY_SECRET \
    ls -la /run/secrets && \
    cat /run/secrets/MY_SECRET

4. Execute the following command:

SECRETS_FILE=$(mktemp) ; echo "Super Secret" > $SECRETS_FILE ; podman build --secret=id=MY_SECRET,type=file,src=${SECRETS_FILE} --no-cache -t foo .

Describe the results you received

The above steps result in the following error:

Error: failed to parse query parameter 'secrets': "[\"id=MY_SECRET,type=file,src=podman-build-secret1918992619\"]": rename /var/tmp/libpod_builder3673920082/build/podman-build-secret1918992619 /var/tmp/libpod_builder3673920082/podman-build-secret1918992619: no such file or directory

Describe the results you expected

I would expect this command to work without the need for adding !*podman-build-secret* to the .dockerignore file.

The reproduction steps do not result in any error when using docker (though using docker on a linux machine, not on the mac since I do not have the option of running docker on my mac).

podman info output

host:
  arch: arm64
  buildahVersion: 1.38.1
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-3.fc41.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 99.74
    systemPercent: 0.13
    userPercent: 0.13
  cpus: 4
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: coreos
    version: "41"
  eventLogger: journald
  freeLocks: 2048
  hostname: localhost.localdomain
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.12.7-200.fc41.aarch64
  linkmode: dynamic
  logDriver: journald
  memFree: 1610174464
  memTotal: 2042269696
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-1.fc41.aarch64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-1.fc41.aarch64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: crun-1.19.1-1.fc41.aarch64
    path: /usr/bin/crun
    version: |-
      crun version 1.19.1
      commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20241211.g09478d5-1.fc41.aarch64
    version: |
      pasta 0^20241211.g09478d5-1.fc41.aarch64-pasta
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: unix:///run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.3.1-1.fc41.aarch64
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.5
  swapFree: 0
  swapTotal: 0
  uptime: 0h 54m 4.00s
  variant: v8
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 106415992832
  graphRootUsed: 4343402496
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 4
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.3.2
  Built: 1737504000
  BuiltTime: Wed Jan 22 01:00:00 2025
  GitCommit: ""
  GoVersion: go1.23.4
  Os: linux
  OsArch: linux/arm64
  Version: 5.3.2

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

On a windows machine the error is the same:

C:\Users\guido\testing_secrets>podman build --secret=id=MY_SECRET,type=file,src=mysecret.txt --no-cache -t foo .
Error: failed to parse query parameter 'secrets': "[\"id=MY_SECRET,type=file,src=podman-build-secret1067707365\"]": rename /var/tmp/libpod_builder3212319988/build/podman-build-secret1067707365 /var/tmp/libpod_builder3212319988/podman-build-secret1067707365: no such file or directory

However, if on the windows machine I update the .dockerignore file to exclude podman-build-secret files, I get a different error:

C:\Users\guido\testing_secrets>podman build --secret=id=MY_SECRET,type=file,src=mysecret.txt --no-cache -t foo .
time="2025-02-13T09:49:18+01:00" level=error msg="1 error occurred:\n\t* archive/tar: write too long\n\n\n"
Error: Post "http://d/v5.3.1/libpod/build?compatvolumes=0&dockerfile=%5B%22Dockerfile%22%5D&forcerm=1&httpproxy=1&identitylabel=1&idmappingoptions=%7B%22HostUIDMapping%22%3Atrue%2C%22HostGIDMapping%22%3Atrue%2C%22UIDMap%22%3A%5B%5D%2C%22GIDMap%22%3A%5B%5D%2C%22AutoUserNs%22%3Afalse%2C%22AutoUserNsOpts%22%3A%7B%22Size%22%3A0%2C%22InitialSize%22%3A0%2C%22PasswdFile%22%3A%22%22%2C%22GroupFile%22%3A%22%22%2C%22AdditionalUIDMappings%22%3Anull%2C%22AdditionalGIDMappings%22%3Anull%7D%7D&isolation=0&jobs=1&layers=1&networkmode=0&nocache=1&nsoptions=%5B%7B%22Name%22%3A%22user%22%2C%22Host%22%3Atrue%2C%22Path%22%3A%22%22%7D%5D&omithistory=0&output=foo&outputformat=application%2Fvnd.oci.image.manifest.v1%2Bjson&pullpolicy=missing&retry=3&retry-delay=2s&rm=1&secrets=%5B%22id%3DMY_SECRET%2Ctype%3Dfile%2Csrc%3Dpodman-build-secret2169833388%22%5D&shmsize=67108864&t=foo": io: read/write on closed pipe