New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to `ADD
files and then remove them in the same layer in a Dockerfile
#12169
Comments
Thanks for the links. |
yes, thanks for your share. |
Maybe some command like these. Simple mounting:
Multiples files in one container dir:
Each file in their own container path:
Then USE won't create a new layer, but mount the volume in next build steps. |
That's a potential solution. |
We are getting |
That works too.
|
Hello! Mainly:
Then from there, patches/features like this can be re-thought. Hope you can understand. |
@jessfraz interesting that multiple FROM support in a single Dockerfile was just added, yet this very needed feature was shut down |
For those who is interested, seems like https://github.com/grammarly/rocker provides needed features |
The fact that you don't allow moving a file and removing it, without leaving residue open in a in-between layer is a HUGE security problem. There are tons of docker containers out there in the commercial world which probably have rsa keys in them for github. Seriously guys. |
OK, here is how to build your container, with private Github repos, and do it without leaving ssh keys in a intermediate container: Install Rocker - which will replace your If your old
Your
(The reason for the My
Run |
I completely agree that this can be considered as security flaw even if I disregard that the fact that the source code can also (significantly) increase the image size. Shame, really. |
For users that are still looking, my colleague created a project for passing secrets to Note that if security is not a concern, but you just have a large file, you can achieve the same with
In the Dockerfile:
|
@jessfraz Not helpful. Providing a broken link to some documentation that doesn't exist and claiming that the Dockerfile syntax isn't going to change without a definitive source doesn't help anyone. Using intermediate files during the build process of a Docker container is absolutely essential - and 1 way or another is_really_ needs to be supported. Without a clean way to clean up intermediate build files, it makes Another proposal:
(I'll edit / delete this comment once this issue is resolved) |
@sbrl you can reach the same goal using build stages Feel free to check my lastest Dockerfiles at:
I use stages there to handle files before copying them to final image |
With BuildKit enabled ( Doing so allows accessing files, without copying them to the image, for example; # syntax=docker/dockerfile:experimental
FROM busybox
# local build-context is mounted at /tmp/src (read-only by default), but not copied to the image
RUN --mount=type=bind,src=.,target=/tmp/src cd /tmp/src && make install |
@thaJeztah Nice! BTW I can see now that we can enable the Since that is also required. In order for this solution to work (and be truly universal, supported including the docker hub for open sharing etc.). Thank you. |
The experimental syntax is a "front-end". BuildKit front-ends are cool 🤓; they're distributed as images (here's the "experimental" front-end), and allow defining your own file format if you don't like Dockerfiles or need additional features (see Any version of docker that has buildkit support (docker 18.09 and with some limits, docker 18.06) can use those front-ends |
Thanks for mentioning those there. I can see mockerfile being useful for my own images. since it transforms
This is intersting too. However still early days it would seem. Due to the large image sizes. As noted here too: https://gitlab.com/groups/gitlab-org/-/epics/2880 For that reason I wait longer for it to mature. Since that extra overhead of larger images is not possible for me. But hopefully wil be solved in time. And maybe if github also adopts them for CI at some point. Not just gitlab.
... Cool man. Digging further it seems (as of today) the hub is on KernelVersion: 4.4.0-1060-aws
Components: [{u'Version': u'19.03.8', u'Name': u'Engine', u'Details': {u'KernelVersion': u'4.4.0-1060-aws', u'Os': u'linux', u'BuildTime': u'2020-03-11T01:24:30.000000000+00:00', u'ApiVersion': u'1.40', u'MinAPIVersion': u'1.12', u'GitCommit': u'afacb8b7f0', u'Arch': u'amd64', u'Experimental': u'false', u'GoVersion': u'go1.12.17'}}, {u'Version': u'1.2.13', u'Name': u'containerd', u'Details': {u'GitCommit': u'7ad184331fa3e55e52b890ea95e65ba581ae3429'}}, {u'Version': u'1.0.0-rc10', u'Name': u'runc', u'Details': {u'GitCommit': u'dc9208a3303feef5b3839f4323d9beb36df0a9dd'}}, {u'Version': u'0.18.0', u'Name': u'docker-init', u'Details': {u'GitCommit': u'fec3683'}}]
Arch: amd64
BuildTime: 2020-03-11T01:24:30.000000000+00:00
ApiVersion: 1.40
Platform: {u'Name': u'Docker Engine - Community'}
Version: 19.03.8
MinAPIVersion: 1.12
GitCommit: afacb8b7f0 Look forwards to trying this feature out in the future! Thank you all. |
Yes, it's possible to enable BuildKit for your automated builds. It's not (yet) enabled by default, but you can enable it on your automated builds by setting the environment variable; https://docs.docker.com/docker-hub/builds/#build-images-with-buildkit |
A common use case when writing Dockerfiles is to
ADD
source code then followed by compiling and then packaging the application. Currently theADD
results in its own layer, without the ability to remove it.Ideally I would be able to do this in a Dockerfile
This way the
src
will never end up in a layer.The text was updated successfully, but these errors were encountered: