Support for BuildKit extensions (secrets) #81
Comments
|
This would be great, is there a timeline for when the proposal will be reviewed? |
|
Hi @pikeas, thanks for chasing this up 👍 It's holiday season now, so a lot of people are unavailable, but I added this proposal to be discussed in the next community meeting. |
|
To better understand the demand for each proposed function, I'd love for subscribers on this issue to vote. Could you please do the following?
Feel to add both if you're interested in both types of secrets; and thank you for your engagement 🙂 |
|
Docker 20.10 also supports env secrets. We use those to pass our Font Awesome auth token to docker: Dockerfile: ...
RUN --mount=type=secret,id=fontawesome,required \
export FONTAWESOME_NPM_AUTH_TOKEN=$(cat /run/secrets/fontawesome) && \
yarn install --frozen-lockfile
...Support for those would be useful as well. |
|
Had a discussion about this in the Compose Spec meeting today, my notes are below:
I've taken the action point of writing down some use cases to verify that this wouldn't be too Docker-specific. Equipped with this information, we'll be able to regroup and hopefully make the call on this proposal. Thus, if anyone wants to share various tools used to build environments (not only containers, but also things like VMs, change-roots...) please feel free to drop them in comments and I'll add it to my research materials 🙂 Thanks everyone again for their patience and positive engagement! |
|
Thanks, Erik.
What do you mean by "alternative implementations" here? Given that BuildKit is newish to Docker, it seems like caring about build once runtime is working is a natural progression. |
|
There's a 1,5-years old PR that solves this is a less elegant way: docker/compose#7046 IMHO it would make most sense implement build secrets the same as runtime secrets: services:
my-application:
build:
secrets:
- my-secret
secrets:
my-secret:
file: /path/to/local/file |
|
@Niek Agreed. I thought I made a PR for this spec change proposal, but apparently I never committed it. It's identical to yours, except, as with runtime secrets, there's a long and short form. I saw/see no reason why this couldn't use the normal secrets mechanism, other than--possibly--secrets being loaded eagerly from However, we also need the switch to enable BuildKit so the as opposed to |
|
As per comment above, took a look at other tools for building environments:
There were a few other cases (like NixOS Containers), which didn't seem to be too different from the above - so they aren't mentioned here. Planning to bring this up at the next meeting to discuss and see if we can make the call on the proposal. |
|
I think that secrets (file and ssh) for build would be a useful addition.
I don't think that we need to add a On where to put the build secrets, I raised last night in the meeting that I like the simplicity of adding them to the existing Thinking about this a bit more, tooling should be able to make this clear to users. e.g.: services:
one:
build: .
secrets:
- mysecret
two:
image: myimg
secrets:
- mysecret
secrets:
mysecret:
file: ./secret.txtWhen the user does a build, the tooling would mount the secret as expected. When the user does a deploy to Kubernetes, it would create a Kubernetes secret from the file and then mount it into service two. |
That's probably true, and AFAIK, BuildKit is fully backwards compatible. Whether that'll be true for new builders in the future is hard to say. However, I think the main question here is how self-contained the
So long as prod only uploads secrets that have been referenced by non-builds, I agree. (I don't know how Compose/Swarm works in that regard.) Uploading build secrets to a cluster that doesn't need them would be needlessly increasing the attack surface. |
|
@chris-crone, do you think we'd able to simplify this proposal by treating build-time and run-time secrets as separate concepts? (I'm naively assuming that reusing build secrets during runtime isn't that common). |
Not sure I understand. Do you mean having different sections for run and build secrets in Compose? |
|
Basically - yes. If we're worried that mixing build/runtime secrets is confusing (per #81 (comment)), then maybe we can avoid secrets top-level attribute in favour of defining something inline under build. We could even explore going in the direction of something like bindings (although this might be too k8s-specific). |
|
Struggling without |
Yeah, we're avoiding the use of |
My hack was to run an ssh-agent in a separate container and use a UDS->TCP->UDS bridge using It's an ugly setup, though. Security is easier the simpler the setup is. :) |
We had to write a script wrapper around docker-compose that parses yaml file, finds our custom properties and then builds needed images with CLI. That sucks but it's simpler than supporting docker-compose fork. |
|
I was referred here from the compose-cli / v2 project. IMO it would be most intuitive to support the services:
foo:
build:
context: ./src
ssh: defaultreads as a user would expect after consuming docker build documentation. supporting this is keeping us from using |
|
👍 for this feature. 🔐 |
|
We also had to write a separate shell script to use |
|
@kshcherban @alechirsch Would you mind sharing your scripts ? |
|
@maciejjaskowski it's something like below, if yq="python3 -m yq"
BUILD_COMPONENTS=($(yq -r -e '.services | keys[]' < docker-compose.yml))
for component in "${BUILD_COMPONENTS[@]}"; do
# shellcheck disable=SC2016
if yq -e '.services[$ARGS.positional[0]]["x-build-with-docker-build"]' \
--args "$component" < docker-compose.yml > /dev/null
then
REL_CONTEXT=$(yq -er \
'.services[$ARGS.positional[0]].build.context' \
--args "$component" < docker-compose.yml)
REL_DOCKERFILE=$(yq -er \
'.services[$ARGS.positional[0]].build.dockerfile' \
--args "$component" < docker-compose.yml)
TARGET=($(yq -er \
'.services[$ARGS.positional[0]].build.target | if . then "--target", . else "" end'\
--args "$component" < docker-compose.yml))
TAG_WITH_VARIABLES=$(yq -er \
'.services[$ARGS.positional[0]].image' \
--args "$component" < docker-compose.yml)
TAG_EXPANDED=$(bash -c "echo \"$TAG_WITH_VARIABLES\"")
IFS=$'\n'
DOCKERFILE_BUILD_ARGS=($(yq -r \
'.services[$ARGS.positional[0]].build.args // []
| to_entries[]
| ["--build-arg", "\(.key)=\(.value)"] | .[]' \
--args "$component") < docker-compose.yml)
unset IFS
BUILD_CMD=(docker build --pull --network host --ssh default \
-f "$REL_CONTEXT/$REL_DOCKERFILE" \
-t "$TAG_EXPANDED" \
"${TARGET[@]}" \
"${DOCKERFILE_BUILD_ARGS[@]}" "${BUILD_ARGS[@]}" "${REL_CONTEXT}")
echo "* Running: ${BUILD_CMD[@]}"
"${BUILD_CMD[@]}"
fi
done |
|
@kshcherban oh wow, thank you! One noob question: how do you pass the --secrets flag ? Or is it something that you left out as an easy exercise ? |
@maciejjaskowski we don't use secrets, but you can include it in script using the same approach |
|
Just want to point out the use case that I'm most commonly in. For things like getting access to things like Github Packages npm registry, I'd need a token to pull packages from there. I have a token value defined in the environment on CI during the docker build step. Lets say I have a env var services:
app:
image: the-image:build-id
build:
context: ./
x-bake:
secret:
- id=SECRET_TOKENI kind of see them more analogous to how bind mounts are defined in docker-compose. that would at least allow them to be defined in-line instead of in the top-level |
|
What are the blockers here to implementing? |
|
@jheld feel free to provide feedback on the #238 PR and compose-spec/compose-go#236 |
|
Closing as implemented |
|
The relevant docs link, in case anyone is looking for it: |
What is the problem you're trying to solve
With multi-stage builds, it's useful to be able to e.g. access an SSH server only from within the build image. Docker now supports that with BuildKit. It adds new command line flags and
Dockerfilesyntax. Compose should allow defining build secrets, just like it supports runtime secrets.Building using BuildKit is enabled through an environment variable (
DOCKER_BUILDKIT=1) or a Docker configuration file setting.Compose already supports runtime secrets, which are files "mounted" inside a container. BuildKit seems very similar, but with some differences:
--ssh, which simply mounts a Unix socket and sets theSSH_AUTH_SOCKenvironment variable forRUNcommands that request it.dstflag, which specifies an alternative directory (default is still/run/secrets/).Describe the solution you'd like
This is a high-level discussion around the requirements of a solution. A more concrete suggestion would probably be more suited for a PR.
Tie in to the existing
secrets. A file secret is defined byfileis currently supportedRUNAn SSH secret is defined by
Both of them are referenced/dispatched by specifying
This seems similar enough that it should be possible to extend the
secretssection, and allow referencing it in an image'sbuildsection. The SSH type is specific to BuildKit, so parsing code would have to know which type is allowed in build/runtime. Using a separate section for build secrets is a possibility.Lastly, adding a "builder" selector that allows choosing "buildkit" as the builder could set the right environment variable to allow parsing these flags. (The Dockerfile still needs to have the syntax line to support the
RUN --mountvariant.)Additional context
A spec PR was suggested as the first step, in docker/compose#7296 (comment).
The
--secretcommand line option is parsed into agithub.com/moby/buildkit/session/secrets/secretsprovider.FileSource. The--sshoption is parsed into agithub.com/moby/buildkit/session/sshforward/sshprovider.AgentConfig.The secret mount is dispatched at https://github.com/moby/buildkit/blob/195f9e598cc7ba82aabefe60d564df7329cb38dd/frontend/dockerfile/dockerfile2llb/convert_secrets.go, and the ssh mount is dispatched at https://github.com/moby/buildkit/blob/195f9e598cc7ba82aabefe60d564df7329cb38dd/frontend/dockerfile/dockerfile2llb/convert_ssh.go.
The text was updated successfully, but these errors were encountered: