Secret src not working if env variable matches id

[KenMacD]

Description

When building with a secret, that secret is empty if an environment variable exists with a name matching the id of the secret.

Steps to reproduce the issue:

1. Create a simple Dockerfile using a secret

FROM busybox

RUN --mount=type=secret,id=FOO \
    echo $FOO && \
    ls -al /run/secrets && \
    echo -n "/run/secrets/FOO is: " && \
    cat /run/secrets/FOO && \
    echo ""

2. Create a file to store the secret:

echo -n "SECRET" >bar

3. Build works correctly without environment variable:

$ env -u FOO buildah build --secret "id=FOO,src=bar" .
STEP 1/2: FROM busybox
STEP 2/2: RUN --mount=type=secret,id=FOO     echo $FOO &&     ls -al /run/secrets &&     echo -n"/run/secrets/FOO is: " &&     cat /run/secrets/FOO &&     echo ""

total 4
drwxr-xr-x    1 root     root             6 Jan 18 20:11 .
drwxr-xr-x    1 root     root            40 Jan 18 20:11 ..
-r--------    1 root     root             7 Jan 18 20:11 FOO
/run/secrets/FOO is: SECRET
COMMIT

4. Run with an environment variable set, and secret fails:

FOO=ABCD buildah build --secret "id=FOO,src=bar" .
STEP 1/2: FROM busybox
STEP 2/2: RUN --mount=type=secret,id=FOO     echo $FOO &&     ls -al /run/secrets &&     echo -n "/run/secrets/FOO is: " &&     cat /run/secrets/FOO &&     echo ""

total 0
drwxr-xr-x    1 root     root             6 Jan 18 20:13 .
drwxr-xr-x    1 root     root            40 Jan 18 20:13 ..
-r--------    1 root     root             0 Jan 18 20:13 FOO
/run/secrets/FOO is:
COMMIT

Output of rpm -q buildah or apt list buildah:

$ readlink (which buildah)
/nix/store/b9x0ibs6p4ylqkng007z0wv36b7vd24s-buildah-wrapper-1.33.2/bin/buildah

Output of buildah version:

buildah version
Version:         1.33.2
Go Version:      go1.21.5
Image Spec:      1.1.0-rc.5
Runtime Spec:    1.1.0
CNI Spec:        1.0.0
libcni Version:  v1.1.2
image Version:   5.29.0
Git Commit:
Built:           Mon Dec 31 20:00:00 1979
OS/Arch:         linux/amd64
BuildPlatform:   linux/amd64

Output of podman version if reporting a podman build issue:

Client:       Podman Engine
Version:      4.8.3
API Version:  4.8.3
Go Version:   go1.21.5
Built:        Mon Dec 31 20:00:00 1979
OS/Arch:      linux/amd64

Output of cat /etc/*release:

DISTRIB_CODENAME=uakari
DISTRIB_DESCRIPTION="NixOS 24.05 (Uakari)"
DISTRIB_ID=nixos
DISTRIB_RELEASE="24.05"
LSB_VERSION="24.05 (Uakari)"
BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues"
BUILD_ID="24.05.20240117.842d9d8"
DOCUMENTATION_URL="https://nixos.org/learn.html"
HOME_URL="https://nixos.org/"
ID=nixos
LOGO="nix-snowflake"
NAME=NixOS
PRETTY_NAME="NixOS 24.05 (Uakari)"
SUPPORT_URL="https://nixos.org/community.html"
VERSION="24.05 (Uakari)"
VERSION_CODENAME=uakari
VERSION_ID="24.05"

Output of uname -a:

Linux build 6.7.0 #1-NixOS SMP PREEMPT_DYNAMIC Sun Jan  7 20:18:38 UTC 2024 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:

cat /etc/containers/storage.conf
[storage]
driver = "overlay"
graphroot = "/var/lib/containers/storage"
runroot = "/run/containers/storage"

[TomSweeneyRedHat]

@ashley-cui any thoughts?

[ashley-cui]

Might be a bug? I'll take a look

[github-actions]

A friendly reminder that this issue had no activity for 30 days.