docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

build: add cache invalidation page 

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
This commit is contained in:
David Karlsson 2024-03-13 13:57:03 +01:00
parent 4cd6393674
commit 3fc37c75ec
4 changed files with 97 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
content/build/cache/_index.md vendored
View File

@ -48,21 +48,7 @@ And that's the Docker build cache in a nutshell. Once a layer changes, then all
downstream layers need to be rebuilt as well. Even if they wouldn't build
anything differently, they still need to re-run.
> **Note**
>
> Suppose you have a step in your Dockerfile
> to upgrade all the software packages in your
> Debian-based image to the latest version:
>
> ```dockerfile
> RUN apt-get update && apt-get upgrade -y
> ```
>
> This doesn't mean that the images you build are always up to date. Rebuilding
> the image on the same host one week later will still get you the same packages
> as before. The only way to force a rebuild is by making sure that a layer
> before it has changed, or by clearing the build cache using
> [`docker builder prune`](../../reference/cli/docker/builder/prune.md).
For more details about how cache invalidation works, see [Cache invalidation](invalidation.md).
## Optimizing how you use the build cache
@ -287,5 +273,6 @@ of continuing.)
For more information on using cache to do efficient builds, see:
- [Cache invalidation](invalidation.md)
- [Garbage collection](garbage-collection.md)
- [Cache storage backends](./backends/index.md)

89
content/build/cache/invalidation.md vendored Normal file
View File

@ -0,0 +1,89 @@
---
title: Build cache invalidation
description: Dig into the details abouw how cache invalidation works for Docker's build cache
keywords: build, buildx, buildkit, cache, invalidation, cache miss
---
When building an image, Docker steps through the instructions in your
Dockerfile, executing each in the order specified. For each instruction, Docker
checks whether it can reuse the instruction from the build cache.
## General rules
The basic rules of build cache invalidation are as follows:
- Starting with a parent image that's already in the cache, the next
instruction is compared against all child images derived from that base
image to see if one of them was built using the exact same instruction. If
not, the cache is invalidated.
- In most cases, simply comparing the instruction in the Dockerfile with one
of the child images is sufficient. However, certain instructions require more
examination and explanation.
- For the `ADD` and `COPY` instructions, the modification time and size file
metadata is used to determine whether cache is valid. During cache lookup,
cache is invalidated if the file metadata has changed for any of the files
involved.
- Aside from the `ADD` and `COPY` commands, cache checking doesn't look at the
files in the container to determine a cache match. For example, when processing
a `RUN apt-get -y update` command the files updated in the container
aren't examined to determine if a cache hit exists. In that case just
the command string itself is used to find a match.
Once the cache is invalidated, all subsequent Dockerfile commands generate new
images and the cache isn't used.
If your build contains several layers and you want to ensure the build cache is
reusable, order the instructions from less frequently changed to more
frequently changed where possible.
## RUN instructions
The cache for `RUN` instructions isn't invalidated automatically between builds.
Suppose you have a step in your Dockerfile to install `curl`:
```dockerfile
FROM alpine:{{% param "example_alpine_version" %}} AS install
RUN apk add curl
```
This doesn't mean that the version of `curl` in your image is always up-to-date.
Rebuilding the image one week later will still get you the same packages as before.
To force a re-execution of the `RUN` instruction, you can:
- Make sure that a layer before it has changed
- Clear the build cache ahead of the build using
[`docker builder prune`](../../reference/cli/docker/builder/prune.md)
- Use the `--no-cache` or `--no-cache-filter` options
The `--no-cache-filter` option lets you specify a specific build stage to
invalidate the cache for:
```console
$ docker build --no-cache-filter install .
```
## Build secrets
The contents of build secrets are not part of the build cache.
Changing the value of a secret doesn't result in cache invalidation.
If you want to force cache invalidation after changing a secret value,
you can pass a build argument with an arbitrary value that you also change when changing the secret.
Build arguments do result in cache invalidation.
```dockerfile
FROM alpine
ARG CACHEBUST
RUN --mount=type=secret,id=foo \
TOKEN=$(cat /run/secrets/foo) ...
```
```console
$ TOKEN=verysecret docker build --secret id=foo,env=TOKEN --build-arg CACHEBUST=1 .
```
Properties of secrets such as IDs and mount paths do participate in the cache
checksum, and result in cache invalidation if changed.

35
content/develop/develop-images/guidelines.md
View File

@ -86,37 +86,10 @@ When building an image, Docker steps through the instructions in your
Dockerfile, executing each in the order specified. For each instruction, Docker
checks whether it can reuse the instruction from the build cache.
The basic rules of build cache invalidation are as follows:
- Starting with a parent image that's already in the cache, the next
instruction is compared against all child images derived from that base
image to see if one of them was built using the exact same instruction. If
not, the cache is invalidated.
- In most cases, simply comparing the instruction in the Dockerfile with one
of the child images is sufficient. However, certain instructions require more
examination and explanation.
- For the `ADD` and `COPY` instructions, the modification time and size file
metadata is used to determine whether cache is valid. During cache lookup,
cache is invalidated if the file metadata has changed for any of the files
involved.
- Aside from the `ADD` and `COPY` commands, cache checking doesn't look at the
files in the container to determine a cache match. For example, when processing
a `RUN apt-get -y update` command the files updated in the container
aren't examined to determine if a cache hit exists. In that case just
the command string itself is used to find a match.
Once the cache is invalidated, all subsequent Dockerfile commands generate new
images and the cache isn't used.
If your build contains several layers and you want to ensure the build cache is
reusable, order the instructions from less frequently changed to more
frequently changed where possible.
For more information about the Docker build cache and how to optimize your
builds, see [cache management](../../build/cache/_index.md).
Understanding how the build cache works, and how cache invalidation occurs,
is critical for ensuring faster builds.
For more information about the Docker build cache and how to optimize your builds,
see [Docker build cache](../../build/cache/_index.md).
## Pin base image versions

2
data/toc.yaml
View File

@ -1820,6 +1820,8 @@ Manuals:
section:
- path: /build/cache/
title: Overview
- path: /build/cache/invalidation/
title: Cache invalidation
- path: /build/cache/garbage-collection/
title: Garbage collection
- sectiontitle: Cache backends