Support for BuildKit extensions (secrets)

[tommie]

What is the problem you're trying to solve

With multi-stage builds, it's useful to be able to e.g. access an SSH server only from within the build image. Docker now supports that with BuildKit. It adds new command line flags and Dockerfile syntax. Compose should allow defining build secrets, just like it supports runtime secrets.

Building using BuildKit is enabled through an environment variable (DOCKER_BUILDKIT=1) or a Docker configuration file setting.

Compose already supports runtime secrets, which are files "mounted" inside a container. BuildKit seems very similar, but with some differences:

1. --ssh, which simply mounts a Unix socket and sets the SSH_AUTH_SOCK environment variable for RUN commands that request it.
2. The dst flag, which specifies an alternative directory (default is still /run/secrets/).
3. Though it's undocumented, it seems setting owner and mode is supported.

Describe the solution you'd like

This is a high-level discussion around the requirements of a solution. A more concrete suggestion would probably be more suited for a PR.

Tie in to the existing secrets. A file secret is defined by

• Type, but only file is currently supported
• ID (used to reference the secret in a RUN
• Source (the file path)

An SSH secret is defined by

• ID
• Agent socket paths

Both of them are referenced/dispatched by specifying

• Source (only for file secrets; implied for SSH)
• Target
• Required (boolean)
• UID
• GID
• Mode

This seems similar enough that it should be possible to extend the secrets section, and allow referencing it in an image's build section. The SSH type is specific to BuildKit, so parsing code would have to know which type is allowed in build/runtime. Using a separate section for build secrets is a possibility.

Lastly, adding a "builder" selector that allows choosing "buildkit" as the builder could set the right environment variable to allow parsing these flags. (The Dockerfile still needs to have the syntax line to support the RUN --mount variant.)

Additional context

A spec PR was suggested as the first step, in docker/compose#7296 (comment).

The --secret command line option is parsed into a github.com/moby/buildkit/session/secrets/secretsprovider.FileSource. The --ssh option is parsed into a github.com/moby/buildkit/session/sshforward/sshprovider.AgentConfig.

The secret mount is dispatched at https://github.com/moby/buildkit/blob/195f9e598cc7ba82aabefe60d564df7329cb38dd/frontend/dockerfile/dockerfile2llb/convert_secrets.go, and the ssh mount is dispatched at https://github.com/moby/buildkit/blob/195f9e598cc7ba82aabefe60d564df7329cb38dd/frontend/dockerfile/dockerfile2llb/convert_ssh.go.

[AkihiroSuda]

cc @tonistiigi @tiborvass

[pikeas]

This would be great, is there a timeline for when the proposal will be reviewed?

[EricHripko]

Hi @pikeas, thanks for chasing this up 👍 It's holiday season now, so a lot of people are unavailable, but I added this proposal to be discussed in the next community meeting.

[EricHripko]

To better understand the demand for each proposed function, I'd love for subscribers on this issue to vote. Could you please do the following?

• Add 🎉 to this comment if you're interested in file secrets
• Add 🚀 to this comment if you're interested in SSH secrets

Feel to add both if you're interested in both types of secrets; and thank you for your engagement 🙂

[srittau]

Docker 20.10 also supports env secrets. We use those to pass our Font Awesome auth token to docker:

DOCKER_BUILDKIT=1 \
  docker build \
  --secret id=fontawesome,env=FONTAWESOME_NPM_AUTH_TOKEN \
  .

Dockerfile:

...
RUN --mount=type=secret,id=fontawesome,required \
  export FONTAWESOME_NPM_AUTH_TOKEN=$(cat /run/secrets/fontawesome) && \
  yarn install --frozen-lockfile
...

Support for those would be useful as well.

[EricHripko]

Had a discussion about this in the Compose Spec meeting today, my notes are below:

• There was general agreement that this is one of the most requested features we have today (shout-out to the community 😉 )
• There was also a point raised that build-time secrets aren't uncommon (e.g., internal package registries that require auth)
• Primary concern was that we shouldn't make the spec too Docker-specific if possible (to enable other implementations to thrive)
• A complicating factor was that alternative Compose implementations of today typically focus on runtime aspect of workflow (as opposed to build)
• A good rule of thumb that was shared - demonstrate at least one use case in addition to local one

I've taken the action point of writing down some use cases to verify that this wouldn't be too Docker-specific. Equipped with this information, we'll be able to regroup and hopefully make the call on this proposal. Thus, if anyone wants to share various tools used to build environments (not only containers, but also things like VMs, change-roots...) please feel free to drop them in comments and I'll add it to my research materials 🙂 Thanks everyone again for their patience and positive engagement!

[tommie]

Thanks, Erik.

A complicating factor was that alternative Compose implementations of today typically focus on runtime aspect of workflow (as opposed to build)

What do you mean by "alternative implementations" here?

Given that BuildKit is newish to Docker, it seems like caring about build once runtime is working is a natural progression.

[Niek]

There's a 1,5-years old PR that solves this is a less elegant way: docker/compose#7046

IMHO it would make most sense implement build secrets the same as runtime secrets:

services:
  my-application:
    build:
      secrets:
        - my-secret

secrets:
  my-secret:
    file: /path/to/local/file

[tommie]

@Niek Agreed. I thought I made a PR for this spec change proposal, but apparently I never committed it. It's identical to yours, except, as with runtime secrets, there's a long and short form.

I saw/see no reason why this couldn't use the normal secrets mechanism, other than--possibly--secrets being loaded eagerly from secrets rather than as-needed from build/secrets. I don't remember if that's the case or not. Someone else will probably know by heart.

However, we also need the switch to enable BuildKit so the RUN --mount option is parsed in Dockerfile. Perhaps that should be controlled by requirements/capabilities, rather than "is-buildkit". Something like

services:
  my-application:
    build:
      requires:
        - run-mount

as opposed to

services:
  my-application:
    build:
      builder: buildkit

[EricHripko]

As per comment above, took a look at other tools for building environments:

• Containers: as expected, these have a number of ways to mount the secrets from the host.
  • buildkit - supports file secrets via RUN --mount=type=secret,id=mysecret ... and --secret id=mysecret,src=mysecret.txt
  • buildpacks - generically supports mounts via --volume <host path>:<target path>[:<mode>]
  • s2i (source-to-image) - generically supports mounts via --volume <host path>:<target path>[:<mode>]
  • buildah - supports explicit mounts (via --mount=type=TYPE,TYPE-SPECIFIC-OPTION[,...]) and implicit global mounts (configured via mounts.conf)
  • kaniko can only have global secrets, defined in K8S manifest
• Virtual Machines: these typically use variables (sometimes marked as sensitive) that are referenced in resource definitions. The examples are rarely file-based and are either sourced from environment variables or remote storage.
  • packer - secrets are specified as environment variables and referred by the templates via var.
  • ansible - secrets typically are specified as variables in playbooks. Variables can hold lists and maps (Proposal: hierarchical secrets #93 might be of relevance here) and can be set in variety of ways.
  • terraform - secrets are again typically specified as variables that contain strings. These can be either supplied as environment variables or encrypted in the resource definition with a dedicated KMS.

There were a few other cases (like NixOS Containers), which didn't seem to be too different from the above - so they aren't mentioned here.

Planning to bring this up at the next meeting to discuss and see if we can make the call on the proposal.

[EricHripko]

@Niek @tommie thank you for this context, this'll be really useful to help shape the schema if this proposal gets the greenlit 👍