Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Proposal] Inject temporary secret files into build #18603

Closed
bfirsh opened this issue Dec 11, 2015 · 6 comments
Closed

[Proposal] Inject temporary secret files into build #18603

bfirsh opened this issue Dec 11, 2015 · 6 comments
Labels
area/builder

Comments

@bfirsh
Copy link
Contributor

bfirsh commented Dec 11, 2015

A common request is to be able to inject secret files into the build process and have them not end up in the built image.

For example:

  • A user may be using RHEL and need to put their license key inside the container to install packages, but they don't want it to end up in the final image.
  • A user may need to pass in their SSH agent/key to clone a Git repository, use a private Gem repo, use a private APT repo, etc.
  • A user may need to pass in SSL certs to be able to install dependencies.

Possible solutions

Related issues
@thaJeztah
Copy link
Member

If we allowed volumes during build, the volume could also use a volume-driver, thinking of the Keywhiz driver (I think I mentioned that in #13490)

@runelabs runelabs mentioned this issue Jul 9, 2016
Closed
@NikolausDemmel
Copy link

Additional possible solution: Support tmpfs mounts during build, similar to what is possible during run since 1.10: #13587

@daveisfera daveisfera mentioned this issue Nov 1, 2016
Open
@jdiaz5513
Copy link

call me crazy, but can't the ARG instruction be modified so that it doesn't store the build arg itself in the metadata, but just a (non-reversible) hash of it? that'll keep the secret itself out of any persistent storage and preserve the ability to cache based on the arg value.

@cpuguy83
Copy link
Member

@jdiaz5513 secrets in environment variables are not secret.

See #28079 for build secrets.

@jdiaz5513
Copy link

Very happy to see that PR. That's a much better solution! 😄

@vdemeester vdemeester changed the title Inject temporary secret files into build [Proposal] Inject temporary secret files into build Feb 14, 2018
@AkihiroSuda
Copy link
Member

docker build --secret is finally available in Docker 18.09 https://medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/builder
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@vdemeester @bfirsh @NikolausDemmel @cpuguy83 @thaJeztah @jdiaz5513 @AkihiroSuda @GordonTheTurtle