Build-time env vars

brianclements · December 2, 2014, 11:02pm

I wanted to continue a discussion from a bug report here regarding build-time env vars.

I’ve been told that something like this:

build-env

VERSION=stable

Dockerfile

FROM radial/axle-base:latest
ADD build-env /build-env
RUN source build-env && mkdir /$VERSION
RUN ls /

is bad practice for Dockerfiles because it breaks “reproducibility”. But how? Can someone please give me a use case where this is a security problem? What is the downside? The use case here is where someone would like to use the same dockerfile to build from source code, by dynamically, at build time, specify a version to build (which could be pulled, compiled, copied, tagged using this same version info etc.)

The point I was trying to make on the bug report was that what if I’m packaging “build-env” along with my source code in my repo? How is this different conceptually then what I “should” do which is make separate Dockerfiles? It’s specifying a value in a file, and uploading it into the container via build time, it affects the end result which is captured as a docker image with a tag. How is that any different then changing a configuration file for my binary, then rebuilding? This is more of a “templating” use of Dockerfiles, yes, whereby instead of editing my dockerfile manually, or forking it and modifying it, I just do this with a drop-in file at build time.

What is the effective difference between three different Dockerfiles, each with manually selected $VERSION variables, vs. one Dockerfile that uses my hack above to produce 3 different image results? I always thought the reproducibility concern was around doing something like SSH into a running container and tinkering while it’s running rather then how we built the image.

Thanks!

svendowideit · December 3, 2014, 1:10am

mmm, wow - I suspect there’s a bit of confusion going on - I suspect that like me, @erikh misread your example to be about out of context env vars, which we’re struggling to design safely.

I think there is a PR that basically suggests doing a variation on this using a ENVFILE instruction - I’ll look it up and see where that goes.

the main problem is that there’s a long discussion on that issue, which is only tangentially related to the issue.

svendowideit · December 3, 2014, 1:13am

ah - Proposal: ENVFILE support in builder (#7688) by TintypeMolly · Pull Request #9190 · moby/moby · GitHub

so really, instead of adding your question to an existing and closed issue, you could make a proposal pull request that we can use to persuade the reviewers that its important and useful

edit<

and then I read that there is Proposal: ENVFILE instruction : Allow to create multiple environment variables from a file · Issue #7688 · moby/moby · GitHub - which is the proposal for it

brianclements · December 3, 2014, 2:20am

Ah, this is great. Thanks sven, I’ll know where to go on this issue now, thanks!

Topic		Replies	Views
ENV to support build-time values in Dockerfile Feature Requests	3	3273	December 24, 2014
Setting up variables during build General docker , build	0	1191	August 23, 2017
Stategies for building Dockerfiles to be reused across environments General automatedbuilds , docker , build	6	5708	July 18, 2016
Docker container environment issue General	2	1701	April 19, 2016
Advice for using docker container for CI build server environment General	0	637	July 21, 2018

Build-time env vars

Related topics