COPY a file that doesn't need to be in the final image

Say I have externally built some artifact that I want to bake into a Docker image. My trivial Dockerfile could look like

FROM ubuntu:16.04
COPY mypackage.deb /
RUN dpkg --install /mypackage.deb \
 && rm /mypackage.deb
CMD ["/usr/bin/hello_world"]

So far, so good; but, the COPY command creates a layer and so my combined image includes the space cost of the .deb file even though it doesn’t need to be part of the final installation. (The rm doesn’t actually save any space.)

Is there a way to avoid this? Or can there be? (Mount the context directory into the build filesystem space? Have a variant of RUN that takes a named file from the context on stdin?)

Instead of adding COPY mypackage.deb
provide a URL from which mypackage.deb could be downloaded.

I can’t: I don’t have a running server of any sort from which it could be downloaded, since a shell script on my local machine just built it, and while I do have some intermediary servers, they’re password protected and I don’t want to make the basic-auth username and password visible to anyone who thinks to run docker history.

Use a volume on the host, mounted in the container for the .deb file.
Also refer

Okay, that issue (and the linked sprawling issue makes it clear that this isn’t a solved problem and there isn’t a solution.

Can you say more about the “use a volume on the host”? I have a very strong impression that (by design) you can’t bind-mount host volumes into a docker build environment.

Use Kubernetes as the cluster manager, which has provision to mount a host path in a Pod.