Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Proposal] Inject temporary secret files into build #18603

Closed
bfirsh opened this issue Dec 11, 2015 · 6 comments

Comments

@bfirsh
Copy link
Contributor

commented Dec 11, 2015

A common request is to be able to inject secret files into the build process and have them not end up in the built image.

For example:

  • A user may be using RHEL and need to put their license key inside the container to install packages, but they don't want it to end up in the final image.
  • A user may need to pass in their SSH agent/key to clone a Git repository, use a private Gem repo, use a private APT repo, etc.
  • A user may need to pass in SSL certs to be able to install dependencies.

Possible solutions

Related issues

@thaJeztah

This comment has been minimized.

Copy link
Member

commented Dec 11, 2015

If we allowed volumes during build, the volume could also use a volume-driver, thinking of the Keywhiz driver (I think I mentioned that in #13490)

@NikolausDemmel

This comment has been minimized.

Copy link

commented Aug 4, 2016

Additional possible solution: Support tmpfs mounts during build, similar to what is possible during run since 1.10: #13587

@jdiaz5513

This comment has been minimized.

Copy link

commented Nov 12, 2016

call me crazy, but can't the ARG instruction be modified so that it doesn't store the build arg itself in the metadata, but just a (non-reversible) hash of it? that'll keep the secret itself out of any persistent storage and preserve the ability to cache based on the arg value.

@cpuguy83

This comment has been minimized.

Copy link
Contributor

commented Nov 12, 2016

@jdiaz5513 secrets in environment variables are not secret.

See #28079 for build secrets.

@jdiaz5513

This comment has been minimized.

Copy link

commented Nov 12, 2016

Very happy to see that PR. That's a much better solution! 😄

@vdemeester vdemeester changed the title Inject temporary secret files into build [Proposal] Inject temporary secret files into build Feb 14, 2018
@AkihiroSuda

This comment has been minimized.

Copy link
Member

commented Nov 11, 2018

docker build --secret is finally available in Docker 18.09 https://medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
8 participants
You can’t perform that action at this time.