Builder - Build-time argument passing (e.g., HTTP_PROXY)

[icecrime]

Description

In the past, we refused pull requests which were basically allowing to inject environment variables or such through the command line as it makes it too easy to write a Dockerfile which would only build assuming you know what it expects. We believe this would hinder repeatability of builds.

Nevertheless, there is a real need for build-time argument passing, one example which we often get being HTTP_PROXY. We believe Docker should have a predefined set of general purpose build-time variables it allows to override like this one, as well as a Dockerfile instruction allowing to define image-specific ones.

How to

The best description of the solution is described here #9176 (comment). However, we would still like to prioritize client-side build (#14298) before moving on to this feature.

To give a few more details:

• Introduce a new ARG Dockerfile instruction that defines a build-time argument. The instruction take the name of the argument, a default value (which can be empty), and an optional description.
• Introduce an internal list of builtin, Engine-provided, build arguments. In a first version, the set of predefined arguments will be HTTP_PROXY, HTTPS_PROXY, FTP_PROXY, and NO_PROXY.
• Introduce a new --build-arg command-line flag to docker build that will receive argument values (e.g., docker build --build-arg HTTP_PROXY=http://...) in a similar way that docker run -e works today.
• Build-time arguments will not be persisted into the resulting image.
• Build-time arguments are injected in the environment of commands being RUN'ed as part of the build.
• Build-time arguments are available as substitution throughout the Dockerfile (for example, they can be used as part of an ENV instruction).

What's next

Ping @duglin for review.
Ping @mapuri: we'd really appreciate if you could close your original PR and submit a rebased version of it that implements the spec described here. Thanks again for your patience 👍

Tentatively adding this to the 1.9.0 milestone.

[marcellodesales]

Expectations

@icecrime I think you definitely gave a great summary about the importance of this feature... As (#14298) is prioritized, do you see (#9176) also making their way to Docker 1.8??? I've been waiting for this feature for such a long time and it is blocking the development of a Docker Registry + Builder solution, for instance.

CI Servers in mind

Our worker hosts are behind the HTTP_PROXY and NO_PROXY, no HTTP connection at all from outside world... So, ALL of our Docker builds must depend on Images that are behind one of our Docker Registries. That is, all of the images depend on a parent that we host. Engineers trying out Docker for the first time usually complain about the inability of getting a Docker file from the public Registry and building it locally.

As we own our builder machines (those that runs "docker builds" upon git merge of a GitHub Enterprise environment), we could easily be augmenting the default build steps with the Host's options, which would include the HTTP_PROXY related environment variables automatically. All because YUM, NPM, MAVEN etc would need those variables in order to properly load dependencies.

Thanks and I would love get this ASAP...

[icecrime]

Added more details, and tentatively adding to 1.9.0 milestone.

[mapuri]

@icecrime thanks for pinging me.

At a high level, as I understand, this spec adds to #9176 a new ARG primitive to validate the passed --build-arg flags against.

I can start looking at changes to rebase my patch to this new spec. I will close #9176 and update this thread as I make progress. Just FYI, I will need a few cycles to scope the work and prioritize this among my other things so it might be a bit slow. Looking forward to contribute.

[icecrime]

@mapuri No problem at all, thank you so much for your understanding here. We will fix this ;-)

[thaJeztah]

@icecrime I think this will replace #4962 as well?

[icecrime]

@thaJeztah Yes!

[jgreat]

I have another use case for the ability to inject environment variables at build time: credentials.

We use docker to containerize our private apps. A lot of these apps need access to private package repositories like npm and github at build time. At this time the only way reasonable way to provide these credentials in an automated build is to include a file in the code repository. This isn't an ideal solution.

Having the ability to pass in an api key or username/password at build time is a feature I've been waiting for a long time.

[icecrime]

Build time secrets are an entirely different topic.

[mapuri]

@icecrime @duglin

just FYI I created the PR #15182 to address the requirements for ARG and --build-arg

PTAL when you get a chance.

[igorescobar]

👍