Docker noob here. Just been reading the Dockerfile best practices and came across something that doesn’t make sense to me:

Each ENV line creates a new intermediate layer, just like RUN commands. This means that even if you unset the environment variable in a future layer, it still persists in this layer and its value can be dumped.

I tested this with the following Dockerfile:

FROM alpine:latest

ENV foo=bar
RUN unset foo
RUN echo $foo

And yes, the final RUN command echos back the value bar.

It’s not clear to me why this is the case though. What has happened to the layer generated by RUN unset foo?

Also a noob, but the layer created by the ENV still contains the set value to bar, so it’s visible from that layer - the unset in the run unsets it only in that newly created layer. That’s how I read https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ (search for “dumped”).

Might be wrong, so happy for any insight from experienced minds.

What’s the use case?
Use ARG if a variable is only supposed to be available during build time.
Use ENV is a variable is supposed to be available in containers (thus, used ot influence the behavior of the container) created from your image.

Many images declare ENV in situation where ARG would be the right choice, like when extracting urls, checksums or version numbers into ENV variables, even though they are only needed when building the image.