Proposal: docker build read Dockerfile from stdin

[dsheets]

I propose that docker build accept -f - to indicate that the Dockerfile to be used is read from the STDIN of the docker client process.

Use cases

• Shared engine CI systems can now stack anonymous image builds easily without requiring intermediate directories or tar archives
• Dockerfiles in local directories, tar archives, and git repos can now be overridden
• docker build is now a versatile shell scripting command as Dockerfiles can participate in shell pipelines decoupled from file system contexts

New capabilities

• Uncooperative remote tar archives and git repos can now have out-of-band Dockerfiles applied to them
• Local directory builds can now have Dockerfiles imported for just the build via I/O redirection

Design considerations

• A - stdin reader interface already exists in the context path argument so any -f - implementation will have to accommodate that
• Accepting - in place of file paths is a common UNIX idiom to indicate that what would have been read from the path specified should instead be read from stdin; this makes having docker participate in UNIX pipelines much easier
• This feature could be abused to avoid Best Practice so all advice regarding application/system design should be maintained and users should be encouraged to place Dockerfiles in repositories and tarballs so builds are straightforward and unambiguous when possible

Cases

• builder.GetContextFromReader (builder/context.go) is used to read a context (or Dockerfile only) from stdin: nothing will change, a file called - will still be sourced from the stdin tarball (or still ignored in the case of Dockerfile only on stdin)
• builder.GetContextFromGitURL (builder/context.go) is used to read a context from a git URL and the resultant context will have its Dockerfile rewritten and used for the build
• builder.GetContextFromURL (builder/context.go) is used to read a context from a remote URL and the resultant context will have its Dockerfile rewritten and used for the build (or ignored in the case of a Dockerfile only context)
• builder.GetContextFromLocalDir (builder/context.go) is used to read a context from a local directory and the resultant context will have its Dockerfile rewritten and used for the build

Implementation

I've prototyped this functionality by rewriting the tar stream of the context before the trusted pull rewriting. If there is interest in this functionality, I will clean up my prototype and submit a PR. I welcome your ideas regarding this or similar features. Thanks!

[thaJeztah]

@dsheets perhaps I misunderstood, but docker build already allows building from stdin;

Note: If you build by passing a Dockerfile through STDIN (docker build - < somefile), there is no build context, so the Dockerfile can only contain a URL based ADD instruction. You can also pass a compressed archive through STDIN: (docker build - < archive.tar.gz), the Dockerfile at the root of the archive and the rest of the archive will get used at the context of the build.

Or is this to build using the local build context, but getting only the dockerfile from stdin?

[dsheets]

@thaJeztah sorry I wasn't clearer. Your second explanation is correct. This proposal is to have the build context indicated by local path, git repository, or URL and the Dockerfile only to be read from stdin and supply the build instructions (or override existing build instructions) from the context.

The use case that prompted this proposal is the first in the above use case list -- stacking anonymous images in a shared engine CI environment. It is much easier and more natural to pipe around text than tar files and there are many common tools to source/modify/compile text compared to tar files without creating temporary files or directories.

[thaJeztah]

@dsheets clear! Sounds reasonable to me (although the documentation may need a rewrite as all possible combinations become quite complex)

[justincormack]

Actually I am not sure what the current behaviour is, is -f supported at all when using a git url at present?

[duglin]

I believe it should still work - as long as the -f points to a file in the context/git-repo. It should allow for you to build from a Dockerfile that’s not in the root.
-Doug

On Oct 16, 2016, at 9:03 PM, Justin Cormack notifications@github.com wrote:

Actually I am not sure what the current behaviour is, is -f supported at all when using a git url at present?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub #27393 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AB2sX2f_SbTC6Yi2ydmIB5kailTz_Wziks5q0iCIgaJpZM4KXOEm.

[justincormack]

I think this is a bit inconsistent, as I believe -f always just points to a name in the context, and -f - does not make sense like that.

I think it would be better to allow multiple contexts which are appended so you could do docker build git://... Dockerfile which would append the Dockerfile to the git bundle, overwriting any Dockerfile in it, and then you could also allow docker build git:// - as a file (vs tarball) on stdin is assumed to be a file called Dockerfile. I have other use cases for multiple appended bundles as a build context as well.

[dsheets]

For the local directory case, -f path will resolve path relative to the cwd of the docker client process which is inconsistent with the stdin, git, and URL cases. It is a widespread convention that path arguments can be - to read from stdin which is consistent with the local directory case (relative to the invocation).

Currently, a local context can only be a directory (not a tarball or a Dockerfile). This isn't currently consistent but the suggestion to stack contexts would have to expand that functionality as well. If you have use cases for stacked contexts, I recommend a separate proposal outlining them. I don't see any reason why the build subcommand shouldn't support both -f - and stacked contexts but the latter seems like a separate matter and a significantly larger extension of the CLI.

[thaJeztah]

@justincormack -f allows picking Dockerfile from anywhere, including outside of the build-context, but it's treated as if it's at the root of the build-context

[dsheets]

I think currently -f takes an arbitrary path and, when the context is a local directory, uses that path relative to the cwd of the docker client process but the Dockerfile path must be within the build context otherwise:

unable to prepare context: The Dockerfile (/Users/dsheets/Code/test/Dockerfile) must be within the build context (foo)

[duglin]

@thaJeztah's comment about being able to indirectly reference a Dockerfile from outside of the build context is a really interesting usecase - I'd love to hear about some usecase/need for that one.

My initial reaction to this is that it could lead to a bit of confusion since we would support "-" being an option of -f as well as in place of the build context location (last param). This isn't necessary an issue since we would need to restrict the user from specifying it in both places, but just something to think about.

Would still like time to think about this, but I'm leaning towards saying we should add this since it pretty consistent with other tools that support similar options and it could open up some interesting usecases. For example:
docker build -f /path/to/tomcat/Dockerfile .
where the referenced Dockerfile would act like a CloudFoundry buildpack - meaning it takes your app and packages it up w/o you really knowing what's going on - you just know what Dockerfile to use - and you don't need to modify your code/dir to do it. And if the /path/... was allowed to be a URL (e.g. http://docker.com/buildpacks/tomcat) I think that would be pretty neat.

[justincormack]

I would like to be able to use a Docker file outside a tarball build
context, but I am not sure if this can be made backwards compatible...

On 19 Oct 2016 15:28, "Doug Davis" notifications@github.com wrote:

@thaJeztah https://github.com/thaJeztah's comment about being able to
indirectly reference a Dockerfile from outside of the build context is a
really interesting usecase - I'd love to hear about some usecase/need for
that one.

My initial reaction to this is that it could lead to a bit of confusion
since we would support "-" being an option of -f as well as in place of the
build context location (last param). This isn't necessary an issue since we
would need to restrict the user from specifying it in both places, but just
something to think about.

Would still like time to think about this, but I'm leaning towards saying
we should add this since it pretty consistent with other tools that support
similar options and it could open up some interesting usecases. For example:
docker build -f /path/to/tomcat/Dockerfile .
where the referenced Dockerfile would act like a CloudFoundry buildpack -
meaning it takes your app and packages it up w/o you really knowing what's
going on - you just know what Dockerfile to use - and you don't need to
modify your code/dir to do it. And if the /path/... was allowed to be a URL
(e.g. http://docker.com/buildpacks/tomcat) I think that would be pretty
neat.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#27393 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAdcPEgS5nQHgLEF6uuNEz02PYm7Byn_ks5q1ikZgaJpZM4KXOEm
.

[thaJeztah]

You mean multiple -f flags, one for tar, one for Dockerfile?

[duglin]

@justincormack where do you see the incompatibility?

Actually, the more I think about this... @dsheets how do you see this working? Right now the Dockerfile is passed as part of the context, not as an independent entity to the REST API.