-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build --secret with buildkit #1288
Conversation
@vdemeester @cpuguy83 :) this is pretty dope. This is just wiring stuff together, the heavy lifting was done in buildkit repo. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🐯
Small lint failure to fix though 😉
cli/command/image/build_buildkit.go:1::warning: file is not gofmted with -s (gofmt)
cli/command/image/build_buildkit.go:1::warning: file is not goimported (goimports)
e42eb79
to
77827e4
Compare
Codecov Report
@@ Coverage Diff @@
## master #1288 +/- ##
==========================================
+ Coverage 54.03% 54.05% +0.01%
==========================================
Files 272 272
Lines 18072 18114 +42
==========================================
+ Hits 9766 9792 +26
- Misses 7690 7706 +16
Partials 616 616 |
@vdemeester fixed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Weird that it leaves an empty file in the container image where you mount a secret. Is this an issue with the frontend or with buildkit?
return secretsprovider.NewSecretProvider(store), nil | ||
} | ||
|
||
func parseSecret(value string) (*secretsprovider.FileSource, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we can add some test for these two new functions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
Trying to get this to work, but I'm probably doing it wrong (running against Docker 18.06) printf "hello secret" > ./mysecret.txt
export DOCKER_BUILDKIT=1
docker build --no-cache --console=false --secret id=mysecret,src=$(pwd)/mysecret.txt -f - . <<EOF
# syntax = tonistiigi/dockerfile:runmount20180618
FROM busybox
RUN echo "hello world"
RUN --mount=type=secret,id=mysecret echo "anything here"
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
EOF Whatever I try to do with |
It doesn't work on 18.06, missing some daemon stuff. |
Is # syntax = still needed? |
77827e4
to
56cf398
Compare
@thaJeztah you're using the runmount flavored dockefile frontend, instead of secrets. Note that
Agreed it's weird, will debug it but shouldn't be a blocker for this PR. I added a couple of tests.
Yes, this is not part of the stable compiled-in default frontend. PTAL :) |
This patch implements `docker build --secret id=mysecret,src=/secret/file` for buildkit frontends that request the mysecret secret. It is currently implemented in the tonistiigi/dockerfile:secrets20180808 frontend via RUN --mount=type=secret,id=mysecret Signed-off-by: Tibor Vass <tibor@docker.com>
56cf398
to
c4c4825
Compare
vendors github.com/docker/docker to a7ff19d69a90dfe152abd146221c8b9b46a0903d Signed-off-by: Tibor Vass <tibor@docker.com>
Tried this again, and looks good :) printf "hello secret" > ./mysecret.txt
export DOCKER_BUILDKIT=1
docker build --no-cache --progress=plain --secret id=mysecret,src=$(pwd)/mysecret.txt -f - . <<EOF
# syntax = tonistiigi/dockerfile:secrets20180808
FROM busybox
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
EOF
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/cc @albers for bash completion 😅 |
Big thanks to y'all for the review and to Tonis for the implementation! |
It is inaccurate to say that build args will not persist in the final image. They are visible with `docker history` and `docker inspect`. As soon as possible, we should upgrade to docker 18.09 to support `--secret` - a way to securely pass credentials into the build context. docker/cli#1288
@thaJeztah |
This patch implements
docker build --secret id=mysecret,src=/secret/file
for buildkit frontends that request the mysecret secret.
It is currently implemented in the tonistiigi/dockerfile:secrets20180808
frontend via RUN --mount=type=secret,id=mysecret
Signed-off-by: Tibor Vass tibor@docker.com
Also revendors buildkit and docker/docker
"<unknown>"
in/info
response