I have a build time Argument with which I would like to build my Docker file; Since that argument is confidential in nature (github key of a private repo) I don't want that to end up in a docker image. This quotes is from official docker documentation regarding the build-time arguments.
Warning: It is not recommended to use build-time variables for passing secrets like github keys, user credentials etc. Build-time variable values are visible to any user of the image with the docker history command.
Anybody know what is the recommended way to achieve the same?
If you want to pass multiple build arguments with docker build command you have to pass each argument with separate — build-arg. docker build -t <image-name>:<tag> --build-arg <key1>=<value1> --build-arg <key2>=<value2> .
The easiest way to increase the speed of your Docker image build is by specifying a cached image that can be used for subsequent builds. You can specify the cached image by adding the --cache-from argument in your build config file, which will instruct Docker to build using that image as a cache source.
You only need to build the image once, and use it until the installed dependencies (like Python packages) or OS-level package versions need to be changed. Not every time your code is modified.
With docker 18.09+, that will be: docker build --secret id=mysecret,src=/secret/file
(using buildkit).
See PR 1288, announced in this tweet.--secret
is now guarded by API version 1.39.
Example:
printf "hello secret" > ./mysecret.txt
export DOCKER_BUILDKIT=1
docker build --no-cache --progress=plain --secret id=mysecret,src=$(pwd)/mysecret.txt -f - . <<EOF
# syntax = tonistiigi/dockerfile:secrets20180808
FROM busybox
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
EOF
I'd rely on context of the Dockerfile for that. Basically, have something else (i.e. Jenkins, sub-repos) that's trusted with your Github key pull down all the necessary repos to relative locations that give your Dockerfile the context it needs. Nothing in the Docker build process itself should be managing secrets.
I can be more specific, if you specify more about your use-case. If it's just a single repo you need, you can just stick the Dockerfile in the root of that repo and rely on something else to provide credentials for cloning the repo down.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With