-
Notifications
You must be signed in to change notification settings - Fork 788
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
RFE: dockerfile secret #1684
Comments
We'll certainly consider it. Thanks for the request and pointers. |
@QiWang19 PTAL |
Docker support this with |
Is buildah bud -v SECRETPATH:DESTPATH ... |
Its a slightly different api then that. I'm using it here: Half of the mount info is on the command line. The other half is in the Dockerfile at the RUN While you could have just one -v option and that would solve the ability to inject things into the build, it wouldn't allow buildah bud to be compatible with existing Dockerfiles. It also wouldn't allow the secrets to be exposed only to some of the containers in a multistage environment. |
Strange looking at this command line. In man pages or in docker build --help? |
Also I have never seen this syntax before
|
Its documented here: The --progress=plain is also documented on that page. |
Great, but it is not in a released/supported Docker yet, correct? |
Its been a while since I looked closely. It was experimental when I wrote the code initially. But I think its released/supported now: |
Cool, interested in porting the code to buildah? |
Too much to do, and too little time right now. Sorry. :/ |
No problem, hopefully we can get someone to work on it. |
FWIW - I ran in to a similar issue trying to use podman build on a Dockerfile that is also using
specifically:
Which should mount the
which is, in fact, the code we were looking at replacing (don't need that output dir in any of the final image layers, mounting seems nicer. |
Intersted in opening a PR to add this feature? |
@QiWang19 PTAL |
@ashley-cui Since you have taken over secrets, here is an issue for you. |
A couple of use cases where this can be used as well. |
This feature would be extremely useful for anyone who is using Dockerfiles to define builds and installing packages from private repositories. Currently the only option for those that use Dockerfiles is to use build args. If build uses short lived tokens and multiple stages, it's reasonably safe. It's just extremely complicated and use of short lived tokens in build args kills caching. |
Can's you also do this with build volumes? buildah bud -v /sourc/secret:/dest/secret ... |
I missed that option. I could and for most parts it would be the same as using docker's --secret argument. It's not the same, because docker doesn't mention copying to container. I know that following goes well beyond original request. I have a feeling that this way of passing secrets is overly complicated. I'd like to see a way of passing secrets as environment variables. Consider how intuitive it would be, if we had something like --secret-build-arg FOO. Which would make buildah read FOO from build environment and pass it to build container. To prevent secret from leaking and to make caching work properly, buildah would need to replace secret with a static string such as "SECRET" in command history. |
"For example, if you supply /foo as the host path, Buildah copies the contents of /foo to the container filesystem on the host and bind mounts that into the container." I think this is a bit confusing. I initially thought this means that copied files will become part of final image. Container filesystem translates in my head to filesystem inside the container. Also, if this is recommended way of handling secrets, documentation should recommend using overlay option for secrets. If you're building in e.g. kubernetes and secrets location isn't a physical disk, you probably want to avoid making copies of secrets on a filesystem |
@ashley-cui is working on a --secrets flag to do some of the stuff that you want. But if you need it now, these are the things we have. |
Secrets patch was just merged. @ashley-cui Does the secrets patch work with podman build? |
@rhatdan I don't think so, I only wired it up to create/run so far |
Ok we need to get this wired into buid, if possible. Probably need to make buildah work with it first. |
i'm looking for this feature as well, it's the blocker for us migrating from buildkit to buildah |
At our project, we're also interested in this. We build using Docker locally and built with Kaniko before we ship, in our CI/CD pipeline. However, we now need to use It'd be great if Buildah supported this -- we would gladly migrate to it 😄 I'll leave the Dockerfile
|
A friendly reminder that this issue had no activity for 30 days. |
@ashley-cui have you been able to look into this? |
@rhatdan looked into it a little bit, but keep getting distracted by mac work so have't really gotten anywhere. |
@ashley-cui You wouldn't have time to add environment variable based source? The reason for this request is that most CI services pass secrets as environment variables. Creating a temporary file just doesn't feel right (or safe) I noted that current implementation creates a copy of secret file. It seems like easiest interim solution would be to create copy using contents of environment variable as source. This wouldn't get us rid of temporary files completely, but it would be a step into right direction. The next step would be adding --mount=type=secret-env,id=secret to expose secret as environment variable instead of a file. This would allow command running inside build container to use secret without having it stored on disk |
Based on the last comment, I'm going to reopen this. @ashley-cui @skorhone I'll let the two of you decide if a new issue should be spun up instead. |
Sounds like a good idea, I'm working on this in podman-land right now, so I'll get to this after that. |
I think the env variable source should be a different issue, since I think this issue should only encompass the |
I've got a few dockerfiles that are staring to use/need the secret support in newer docker versions. This allows you to inject things like rpm signing keys which otherwise would be leaked out, or need nasty hacks to fetch.
See the secret support examples here:
https://docs.docker.com/develop/develop-images/build_enhancements/
Could support for these options be added to buildah please?
The text was updated successfully, but these errors were encountered: