[Docker] – Using –build-arg to use safely confidential information to build docker images

tips

In this post, we will do an example by using the flag --build-arg to build the image with a piece of security information.

NOTE: This example will use the word secret since it could be used to create a Secret, however, if you are looking to develop secrets I’d recommend you check the docker flag —secret as well. See here.

Example: 

  • Create the Dockerfile as follows
FROM busybox:latest AS builder
ARG BUILD_SECRET
RUN echo $BUILD_SECRET > /secret
RUN stat /secret && cat /secret && echo 'fictional dependency' > /library.txt
RUN rm /secret
  • Now, build it with the following command

$ docker build --build-arg BUILD_SECRET=test-my-secret --tag secret-test-image .

  • Analyse its output.
 $ docker build --build-arg BUILD_SECRET=test-my-secret --tag secret-test-image .
  Sending build context to Docker daemon  2.048kB
Step 1/5 : FROM busybox:latest AS builder
  ---> 19485c79a9bb
Step 2/5 : ARG BUILD_SECRET
  ---> Using cache
  ---> e279fcf0f94e
Step 3/5 : RUN echo $BUILD_SECRET > /secret
  ---> Running in 4e2214fdcd93
  Removing intermediate container 4e2214fdcd93
  ---> 0569566fb031
Step 4/5 : RUN stat /secret && cat /secret && echo 'fictional dependency' > /library.txt
  ---> Running in 2875dec92f0a
  File: /secret
  Size: 15         Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d Inode: 1476418     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-10-21 08:34:27.000000000
Modify: 2019-10-21 08:34:27.000000000
Change: 2019-10-21 08:34:27.000000000

  test-my-secret
  Removing intermediate container 2875dec92f0a
  ---> bb9ae29477cf
Step 5/5 : RUN rm /secret
  ---> Running in 3cc3b47d6878
  Removing intermediate container 3cc3b47d6878
  ---> c6132a506183
  Successfully built c6132a506183
  Successfully tagged secret-test-image:latest
  • Now,  analyse the image and check that BUILD_ARG was used to build the image as required, but it is no longer in the container because of the last layer in the Dockerfile is RUN rm /secret
$ docker run -it secret-test-image ls -lasp /
total 48
4 drwxr-xr-x    1 root     root          4096 Oct 21 08:38 ./
4 drwxr-xr-x    1 root     root          4096 Oct 21 08:38 ../
0 -rwxr-xr-x    1 root     root             0 Oct 21 08:38 .dockerenv
12 drwxr-xr-x    2 root     root         12288 Sep  4 17:26 bin/
0 drwxr-xr-x    5 root     root           360 Oct 21 08:38 dev/
4 drwxr-xr-x    1 root     root          4096 Oct 21 08:38 etc/
4 drwxr-xr-x    2 nobody   nogroup       4096 Sep  4 17:26 home/
4 -rw-r--r--    1 root     root            21 Oct 21 08:34 library.txt
0 dr-xr-xr-x  225 root     root             0 Oct 21 08:38 proc/
4 drwx------    2 root     root          4096 Sep  4 17:26 root/
0 dr-xr-xr-x   13 root     root             0 Oct 21 08:38 sys/
4 drwxrwxrwt    2 root     root          4096 Sep  4 17:26 tmp/
4 drwxr-xr-x    3 root     root          4096 Sep  4 17:26 usr/
4 drwxr-xr-x    4 root     root          4096 Sep  4 17:26 var/

NOTE: Also, feel free to check related post by searching for the Kubernetes and Docker tag in this website.

Sponsored by:

Logo-horizontalCP Logo Big - vertical invert (1)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s