During the creation of our base docker image we want to do a yum update, but our corporate firewall requires a valid set of credentials to access the outside world. How can I create the image without it containing a username and password for our firewall?

We don’t want this to occur when the container is running, as we would have no control on what updates would be applied to the container, and we wouldn’t have an opportunity to smoke test the updates with our application.

Docker build time secrets are hard. Every approach I can think of in your case is not pretty.

You could come up with some way to serve credentials to your docker build node. Your Dockerfile would have a RUN command that attempts to grab credentials, and then use them for the duration of the RUN call, and never save them. If you wanted the Dockerfile to build in other environments, you’d have to have this process handle a failure to grab the credentials gracefully.

There is a project out in the wild called “redsocks”. Basically, you can set up iptables to route traffic through this userspace program, which in turn sends the traffic through a proxy server transparently. I’ve never used it on a docker host, but I have used it in the past when dealing with stuff that doesn’t easily work with proxies when one is required.

Hopefully this helps!

Many thanks for both suggestions. We’ve gone for using curl within a run command to grab the configuration from a server, and as part of the command, once we’ve updated, the configuration is then deleted. There is more work to be done on this, but at least it’s got us started.

I was a bit worried redsoscks might look like we’re trying to defeat our corporate firewall.

Again, many thanks

Richard.