New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TAG command to Dockerfile #5603
Comments
Also, when you said "destination for a container after a build", did you mean "the tag for a container after a build"? |
For this, I would have to ask how does the cli handle passing it multiple
This one is a little bit trickier. I suppose we'd have to ask for the purpose of an untagged build. Seeing as an untagged build can't be pushed to a registry, I would question the usefulness. I suppose we could refer to the answer of the previous question and respond with "why not both?" That is to say, we could create both an untagged container and a tagged container by default, seeing as
I would suggest this is semantics. The Tag for a container implicitly implies the destination registry and the name of the container when stored on that registry, so both statements are accurate. In the context of my original comment, I intended it to mean destination, as I deal with multiple private registries and keeping the containers aligned with their destination registry is sometimes more complex than necessary. |
Could be okay if we restricted this to a specific namespace such as "my-user/$TAG". Then, with signing and trust coming down the line, it would be signed by "my-user". Still, some important considerations need to be made on the security, trust, and distribution angles. |
I like this idea.
Each
For example:
Which would result in three images; The last two tags would be pointing to the same image. _Overriding_ If a tag is provided on the command-line, all tags in the Dockerfile should be ignored. Again, using the Dockerfile above, this;
Should result in a single tagged image ( |
@matthewcmorgan by saying "container" in the original post I think you mean "image" instead. Yes I have the exactly same idea. |
Please someone do this. Not having this hurts my ability to use images from the Trusted Build as I can't run specific versions of say MySQL. This introduces a lot of uncertainty as I'm never sure what I'm getting when use a community provided image. |
@KyleAMathews Do you mean in your dockerfile? You can use |
No, set the tag for the eventual image. E.g. you're building MySQL 5.6.1 so you'd add something like |
Not seems like a good idea to me : tags are not persistent across nested images. Already discussed here #886 and closed. @crosbymichael |
As @thaJeztah say, I think TAG instruction is necessary for Dockerfile to create multiple images from a single Dockerfile and create different tags for the same image. So, I make this pull requst #12983 . |
@xuxinkun I don't agree with the overriding point. If you don't allow ignoring of |
@cyphar overriding will be checked in 'TAG' command. So the condition you say won't happen. That's why I don't agree to use 'build -t' to ignore the 'TAG' command. I will show u a example with my pull request #12983
As you see, overriding will be stoped. |
Yeah, but then people will just start using |
I'm definitely -1 on this concept. |
@cyphar Now I change my mind, I think |
I'm with @cpuguy83. My complaints were merely about "if this feature was a must have, there are certain security implications". I'm definitely -1 on this concept -- why would you allow developers to tell sysadmins what the image should be tagged as? There's a reason that tagging is separate to image ids -- so sysadmins can come up with naming schemes and developers can just define images. |
I haven't really made my mind up on it; If I downloaded someone else's Dockerfile, this could be a bit weird. Otoh, when creating your own Dockerfile, this could be a really handy feature to (re)build all the images in one go. Perhaps other tooling, e.g. a simple shell-script / Makefile is more suitable for that (it's what we're using now).
I really don't know. I guess we need to look when it was implemented. Could it be that it wasn't explicitly implemented, but just "worked" that way, and described as a "feature" in a later stage? If we want to deprecate it, we probably have to do a GitHub search again to see if people are actually using it? (Like we did some time ago) |
@cyphar @duglin @thaJeztah As I see it, the only currently useful application of multiple FROMs is to execute pre-build scripts which modify network/cloud resources. That's a pretty narrow use-case, leaves untagged images on disk, and may have its own security implications. I propose we simply remove it. |
@duglin can you open an issue for removing that feature (multiple Probably best to ping some "early contributors", just to double check there are no other reasons for it to be there than @ewindisch commented. |
@thaJeztah done #13026 |
👍 for this. Other systems managing dependency between resources usually state what every element needs but also what it is going to provide. This it is convenient for troubleshooting, and for analysing a dependency tree out of a static collection of Docker files. In order to make the correspondence between every Docker file and its tagged image more clear, in my company we will have to use naming conventions. Arguments passed via the command line do not leave any track, while a declarative way to specify the name of the new image would help documenting and understanding the goal of every Docker file, in my opinion |
Reading the discussion I want to clarify something - #13774. The sysadmins need to tag them anyway right now via specyfing -t, but they need to use "magic scripting" to do that, what actually should be built into the tool. |
I am also very interested in this feature. |
Collective review with @duglin @estesp @tianon @abronan @cpuguy83 The biggest problem with this proposal is that it would overwrite the user's image name. Example: It seems that the usecases described in this thread, can be resolved by either using a Compose file specifying the tags for each container, or by writing a simple Makefile. However, if Dockerfiles evolve over time to be more powerful and flexible like a Makefile, with more security features such as ACLs on containers and images, thus eliminating the overwrite issue, then we could potentially revisit this. I'm closing this issue for now, feel free to comment further if needed. |
@tiborvass hmmm
Can't find a way to do this, am I missing something, or is this so far just a proposed feature of docker compose? |
Here's a workaround for unix like OS's, or sh users.
It uses my hb-path wrapper script. Make Dockerfiles executable. If you wish to use a different tag, just run Docker the normal way. |
I feel we may be over thinking the purpose of tags. Surely like in the SCM-sense they are just light-weight pointers to commits and do not have any inherent meaning; semantics are subsequently applied when a tool is later used and must decide (validate) the tag is fit for its own interests. @cyphar I do not agree that tagging is solely within the remit of SysAdmins, nor is conjuring naming conventions; where these responsibilities lie is fluid, changing from one team/project/(sub-)organisation to the next. Not only are tags light-weight, but they are also only local to the Docker daemon, as is the image/commit itself, until a tool publishes them i.e. So a developer/devops/sysadmin/Jenkins can do whatever they want up to that point. @tiborvass regarding the issue of overwriting
I will (naively) offer there are no security issues either, not until you try to use some security-aware tool that must at that point do its own checks and validations (dude-diligence [any security-aware tool that does not, we should not be using]) to succeed. What makes this really moot, is that we can all get the end result we want right now; imagine a multi-stage build:
You can then use those labels to find the commits/layers/intermediate-images and tag them as you please:
Note: the above example can be further parameterised e.g. with a version number, Then you can use these images to do some really useful stuff:
So with all of that insight (use-case and use of available features), why not just support the |
Old thread, but still a useful feature that doesn't exist. |
The use case for this for me is that I have to do my bash scripting in my build agent to properly tag my images in a CI / CD pipeline. |
If you really want this functionality, take a look at implementing your own buildkit frontend. There is a dockerfile parser frontend that you can just add this keyword yourself. This sounds scary, but it works very well. You can build it with "docker build" as normal (provided you are on 18.06 or newer). Here is the docs for the official docker experimental frontend: https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md You can take the Dockerfile frontend found in that repo and add the functionality you want, make an image, and reference that image at the top of your Dockerfile which tells docker how to parse the Dockerfile with "# syntax=" |
The issue is that the TAG usually combines both the image name and version. The docker build --tag , -t expects a name:tag value (which itself is weird, documentation should states name:version or something else and avoid reusing the same 'tag' keyword). In the opposite, the Docker Hub presentation shows tags as only the second part, which is more like a version/flavor of the image. See https://hub.docker.com/_/docker?tab=tags for example. Most people arguing in favor of defining the image tag(s) from within the Dockerfile are doing so in order to simplify automated builds. As automating builds is a good thing, this should be encouraged. This would also allows people to make dynamic computation of complex version easier, without the need for additionnal scripts/tools. Maybe defining only the version(s) from within the Dockerfile and keep the image base name definition as a parameter of the docker build command would satisfy everyone? |
How does this simplify automated builds? btw, I encourage you to take a look at the new |
Here's my use case for TAG: I build custom docker images in GitLab CI which I use as the build environment for C++ applications. I'd like my tag to label which version of gcc my image has so my application builds with a specific version. I'd like the tag to be in one place so it's impossible for the gcc image version and the tag to be inconsistent. If I can set TAG inside the Dockerfile, this is easy:
Whether I'm running I read a little about buildx and it might work, but not until it's on by default because GitLab's docker setup is outside of my control. I'd still prefer everything to be in the Dockerfile. Its purpose is to define my image, and the tag is a vital part of my image. Today, I'm stuck either duplicating information between the |
Can docker pull tags from .env like docker-compose? Seems not. Ideally, I'd like to be able to do FROM image:version AS imgname:$TAG - where I get $TAG from .env (like I do for docker-compose)... Possible? |
Using build-args in the ARG FOO_VERSION=1.2.3
FROM image:$FOO_VERSION AS base
FROM base AS some-stage
FROM base AS some-other-stage Also note that the |
I should probably mention that adding this today would probably be a fairly "fun" attack vector for clouds which allow you to build your own images (if you add |
I just want to compute the tag from within the docker image itself and set the value...
RUN echo "TAG_NAME=my-image-tag-base-on-env" >> /tag-values
RUN echo "TAG_NAME_DATE=$(date)" >> /tag-values
ENV --from-context-files /tag-values
TAG myimage:${TAG_NAME} |
Like the MAINTAINER command, a TAG command would allow a Dockerfile to record the intended destination for a container after a build. When doing a
docker build
from command line, the TAG command would allow a default-t mytag/mycontainer
to be used. Ifdocker build
is passed a different-t mytag/mycontainer
then it would overwrite the TAG command in the dockerfile.This would be especially useful for those of us using a private docker registry so we can see what others tagged a built container as when it was pushed to a private registry.
The text was updated successfully, but these errors were encountered: