dockerfile - safe way to use build-time argument in Docker

Question

Welcome To Ask or Share your Answers For Others

dockerfile - safe way to use build-time argument in Docker

posted Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

dockerfile - safe way to use build-time argument in Docker

I have a build time Argument with which I would like to build my Docker file; Since that argument is confidential in nature (github key of a private repo) I don't want that to end up in a docker image. This quotes is from official docker documentation regarding the build-time arguments.

Warning: It is not recommended to use build-time variables for passing secrets like github keys, user credentials etc. Build-time variable values are visible to any user of the image with the docker history command.

Anybody know what is the recommended way to achieve the same?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-10-23T19:30:40+0000

With docker 18.09+, that will be: docker build --secret id=mysecret,src=/secret/file (using buildkit).

See PR 1288, announced in this tweet.
--secret is now guarded by API version 1.39.

Example:

printf "hello secret" > ./mysecret.txt

export DOCKER_BUILDKIT=1

docker build --no-cache --progress=plain --secret id=mysecret,src=$(pwd)/mysecret.txt -f - . <<EOF
# syntax = tonistiigi/dockerfile:secrets20180808
FROM busybox
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
EOF

Categories

dockerfile - safe way to use build-time argument in Docker

dockerfile - safe way to use build-time argument in Docker

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags