1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@yuta_vamdemic(yuta)

DockerBuild実行時にsecret情報などをイメージに乗らせないようにする

1
Posted at

参考

概要

  • 一時的に扱うような資格情報とかを隠すことができる
    • というのは、DockerBuildが走る際にローカルマシンのファイルからSecret扱いでDockerfileに渡る
    • Biild時にはそのSecretが出力されるものの、/run/secret/の下にファイルが作成され、ビルドイメージには乗ってこない
    • Buildkitという機能らしい

準備

mysecret.txt
WARMACHINEROX

# syntax=docker/dockerfile:1.2

FROM alpine

# shows secret from default secret location:
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret

# shows secret from custom secret location:
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar

ビルド

DOCKER_BUILDKIT=1 docker build --no-cache --progress=plain --secret id=mysecret,src=mysecret.txt .

出力結果

# 1 [internal] load build definition from Dockerfile
# 1 sha256:8f00e80f65067d1c0d41665d67203cb5237148731db94e875148cd4cc66f5ec0
# 1 transferring dockerfile: 38B done
# 1 DONE 0.0s

# 2 [internal] load .dockerignore
# 2 sha256:a8882e94112cddc2da76edbd0f503b77bfa68c7d466b1ab0b3d9c3db28cc0827
# 2 transferring context: 2B done
# 2 DONE 0.0s

# 3 resolve image config for docker.io/docker/dockerfile:1.2
# 3 sha256:b239a20f31d7f1e5744984df3d652780f1a82c37554dd73e1ad47c8eb05b0d69
# 3 DONE 1.4s

# 4 docker-image://docker.io/docker/dockerfile:1.2@sha256:e2a8561e419ab1ba6b2fe6cbdf49fd92b95912df1cf7d313c3e2230a333fdbcc
# 4 sha256:37e0c519b0431ef5446f4dd0a4588ba695f961e9b0e800cd8c7f5ba6165af727
# 4 CACHED

# 5 [internal] load metadata for docker.io/library/alpine:latest
# 5 sha256:d4fb25f5b5c00defc20ce26f2efc4e288de8834ed5aa59dff877b495ba88fda6
# 5 DONE 0.0s

# 8 [1/3] FROM docker.io/library/alpine
# 8 sha256:665ba8b2cdc0cb0200e2a42a6b3c0f8f684089f4cd1b81494fbb9805879120f7
# 8 CACHED

# 6 [2/3] RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
# 6 sha256:75601a522ebe80ada66dedd9dd86772ca932d30d7e1b11bba94c04aa55c237de
# 6 0.294 WARMACHINEROX
# 6 DONE 0.3s

# 7 [3/3] RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
# 7 sha256:a1db940558822fcffbe7da0dc8b9f590a2870c01ea3a701051b7ce68412dc694
# 7 0.346 WARMACHINEROX
# 7 DONE 0.4s

# 9 exporting to image
# 9 sha256:e8c613e07b0b7ff33893b694f7759a10d42e180f2b4dc349fb57dc6b71dcab00
# 9 exporting layers 0.0s done
# 9 writing image sha256:d1523144da7a5f64952edcec97e950e70432b7bb7c2115eccd17d445ed0c2a92
# 9 writing image sha256:d1523144da7a5f64952edcec97e950e70432b7bb7c2115eccd17d445ed0c2a92 done
# 9 DONE 0.0s
1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?