Alpine Linux package builder in Docker
Switch branches/tags
Clone or download
Latest commit 3a16661 Aug 7, 2018

Alpine Package Builder

This is a Docker image for building Alpine Linux packages.


We tag each release with a simple v# version scheme. Here are the tags to choose from:

  • andyshinn/alpine-abuild:v1: based on Alpine 3.3
  • andyshinn/alpine-abuild:v2: based on Alpine 3.4
  • andyshinn/alpine-abuild:v3: based on Alpine 3.5
  • andyshinn/alpine-abuild:v4: based on Alpine 3.6
  • andyshinn/alpine-abuild:v5: based on Alpine 3.6
  • andyshinn/alpine-abuild:v6: based on Alpine 3.7
  • andyshinn/alpine-abuild:v7: based on Alpine 3.8
  • andyshinn/alpine-abuild:edge: based on Alpine edge (includes testing repository as well)

The builder is typically run from your Alpine Linux package source directory (changing ~/.abuild/mykey.rsa and ~/.abuild/ to your packager private and public key locations):

docker run \
	-e RSA_PRIVATE_KEY="$(cat ~/.abuild/mykey.rsa)" \
	-e RSA_PRIVATE_KEY_NAME="mykey.rsa" \
	-v "$PWD:/home/builder/package" \
	-v "$HOME/.abuild/packages:/packages" \
	-v "$HOME/.abuild/" \

This would build the package at your current working directory, and place the resulting packages in ~/.abuild/packages/builder/x86_64. Subsequent builds of packages will update the ~/.abuild/packages/builder/x86_64/APKINDEX.tar.gz file.

You can also run the builder anywhere. You just need to mount your package source and build directories to /home/builder/package and /packages, respectively.


There are a number of environment variables you can change at package build time:

  • RSA_PRIVATE_KEY: This is the contents of your RSA private key. This is optional. You should use PACKAGER_PRIVKEY and mount your private key if not using RSA_PRIVATE_KEY.
  • RSA_PRIVATE_KEY_NAME: Defaults to ssh.rsa. This is the name we will set the private key file as when using RSA_PRIVATE_KEY. The file will be written out to /home/builder/$RSA_PRIVATE_KEY_NAME.
  • PACKAGER_PRIVKEY: Defaults to /home/builder/.abuild/$RSA_PRIVATE_KEY_NAME. This is generally used if you are bind mounting your private key instead of passing it in with RSA_PRIVATE_KEY.
  • REPODEST: Defaults to /packages. If you want to override the destination of the build packages. You must also be sure the builder user has access to write to the destination. The abuilder entry point will attempt to mkdir -p this location.
  • PACKAGER: Defaults to Glider Labs <>. This is the name of the package used in package metadata.


You can use this image to generate keys if you don't already have them. Generate them in a container using the following command (replacing Glider Labs <> with your own name and email):

docker run --name keys --entrypoint abuild-keygen -e PACKAGER="Glider Labs <>" andyshinn/alpine-abuild:v2 -n

You'll see some output like the following:

Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
writing RSA key
>>> You'll need to install /home/builder/.abuild/ into
>>> /etc/apk/keys to be able to install packages and repositories signed with
>>> /home/builder/.abuild/
>>> You might want add following line to /home/builder/.abuild/abuild.conf:
>>> PACKAGER_PRIVKEY="/home/builder/.abuild/"
>>> Please remember to make a safe backup of your private key:
>>> /home/builder/.abuild/

This output contains the path to your public and private keys. Copy the keys out of the container:

mkdir ~/.abuild
docker cp keys:/home/builder/.abuild/ ~/.abuild/
docker cp keys:/home/builder/.abuild/ ~/.abuild/

Put your key files in a same place and destroy this container:

docker rm -f keys