Docker build fails with the API, but succeeds with the CLI

[fayak]

I think this is linked to the handling of users and workdirs somehow.

reproductible setup :

FROM alpine

RUN adduser -D user

USER user

WORKDIR /test

RUN echo toto > toto

demonstration of the issue :

(venv)  ⚡ root /tmp/work $ docker build -t toto .
[+] Building 0.7s (8/8) FINISHED                                                                                            docker:default
 => [internal] load .dockerignore                                                                                                     0.0s
 => => transferring context: 2B                                                                                                       0.0s
 => [internal] load build definition from Dockerfile                                                                                  0.0s
 => => transferring dockerfile: 118B                                                                                                  0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                                                      0.0s
 => CACHED [1/4] FROM docker.io/library/alpine                                                                                        0.0s
 => [2/4] RUN adduser -D user                                                                                                         0.3s
 => [3/4] WORKDIR /test                                                                                                               0.0s
 => [4/4] RUN echo toto > toto                                                                                                        0.3s
 => exporting to image                                                                                                                0.1s
 => => exporting layers                                                                                                               0.0s
 => => writing image sha256:c43656efd75c98cd7cc2f477b7958ffaa1b6cb42c14e8a09fa5b3c89afbf3efe                                          0.0s
 => => naming to docker.io/library/toto                                                                                               0.0s
(venv)  ⚡ root /tmp/work $ python3
Python 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import docker
>>> a = docker.from_env()
>>> i, l = a.images.build(path=".", forcerm=True, pull=True, timeout=120, rm=True, tag="toto:latest")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/docker/models/images.py", line 285, in build
    raise BuildError(chunk['error'], result_stream)
docker.errors.BuildError: The command '/bin/sh -c echo toto > toto' returned a non-zero code: 1

[fayak]

After tweaking the Dockerfile a bit, I check the ownership of the /test directory created:

with the CLI:
drwxr-xr-x 1 user user 29 Apr 16 16:39 .
with docker py:
drwxr-xr-x 2 root root 6 Apr 16 16:27 .

The ownership of /test is not changed as it should by the WORKDIR instruction after the USER one

[fayak]

Interesting fact while looking at the docker daemon logs in debug mode, I have a cache miss with the python API build():
dockerd[441776]: time="2024-04-16T19:09:18.842770073+02:00" level=debug msg="[BUILDER] Cache miss: [/bin/sh -c adduser -D user]"
while the layer should already exist as I've just built it with the CLI. Somehow something is different, but I'm not expert enough in docker internals to understand what it could be