Proposal: Dockerfile BUILD instruction

[proppy]

TLTR;

BUILD /rootfs/path/to/context == RUN docker build /rootfs/path/to/context

---

This was originally a fork of proposal #7115, as I didn't want to pollute the main discussion.

Suggested changes were:

• in Proposal: Nested builds #7115 the first argument to IN scopes and populates the rootfs of the inner build, and the context are shared w/ the outer build. With this proposal you explicitly pass a new context to the inner build, and you have to ADD or COPY file from the context to the image, just like a regular docker build.

Since then @tonistiigi made a simpler PoC in #8021, this proposal was then updated to match the PR.

---

Proposal

Most application that build from sources have a disjoint set of build and runtime dependencies/requirements. Because of convenience and in order to benefit from automated build, most images bundle both in their docker images.

A common example is a go application, where the go toolchain and possibly a C compiler is necessary to build the app, but busybox is totally fine to run it.

Another example is a java application, where the JDK is necessary to build the app, but the JRE is enough to run it.

This proposal derives the main ideas from #7115 and #8021 to introduce a simple syntax for allowing chained build with explicit contexts. The indent is to generalize and consolidate workarounds introduced w/ #5715 (docker run builder | docker build -t runner) into the main Dockerfile syntax.

New Dockerfile keyword BUILD

Usage:

BUILD <path/to/context> [path/to/Dockerfile]
[FROM ...
other Dockerfile instructions]...

Description:

BUILD triggers a new docker build job using a given context directory (coming from the image rootfs being built), followed by new Dockerfiles instructions.

Either the path/to/Dockerfile, or the Dockerfile are the root of the new <context> if present or the instructions following the BUILD command are used in-lieu-of the Dockerfile of the new build job: in that order; if instructions follow the BUILD command and path/to/Dockerfile is set or <context>/Dockerfile exists, the build is failed.

The new build start with a fresh rootfs populated from the inner FROM instructions and a fresh environments and replaces the current build job.

It is effectively equivalent to being able to call RUN docker build /path/to/context in a Dockerfile.

Example:

FROM ubuntu

RUN apt-get install build-essentials
ADD . /src
RUN cd /src && make

BUILD /src/build
FROM busybox
COPY app /usr/local/bin/app
EXPOSE 80
ENTRYPOINT /usr/local/bin/app

Note that:

• the context in chained build is different from the context in the previous build.
• docker build -t would tag the last chained build defined at the end the Dockerfile until there is a better support for naming distinct image in Dockerfile (the problem already exists today with multiple FROM)
• changes made to /src/build after the BUILD block won't be represented in the chained image
• chained BUILDs can't make change to the previous directory being passed as the context, much like regular build can't mutate the context: the context gets tared like regular docker build today and the inner BUILD operate on a copy.

[cyphar]

Wait, so each BUILD block is a separate set of Dockerfile instructions that relate to a subdirectory of the container (or of the host context?)? How does that play with containers? Are the filesystem changes committed to some "root" image that is used throughout the build? Are they executed in the order they are described in the file?

[proppy]

@cyphar I updated the description and cmmented below to answer your question. Let me know if there is still some questions.

so each BUILD block is a separate set of Dockerfile instructions that relate to a subdirectory of the container (or of the host context?)

Yes, a subdirectory of a container being built. Updated the description.

How does that play with containers? Are the filesystem changes committed to some "root" image that is used throughout the build?

The outer build container should be unaffected by the inner ones, much like a docker build doesn't have side effect on the context directory being passed.

Are they executed in the order they are described in the file?

Yes, updated the description.

[cyphar]

@proppy

The outer build container should be unaffected by the inner ones ...

Does that mean that the context is executed in a container with the directory of the context as the root? How do we deal with binaries in that case? If not, what will happen if someone modifies the outside directory? Is it not committed or is that undefined?

[proppy]

Does that mean that the context is executed in a container with the directory of the context as the root? How do we deal with binaries in that case? If not, what will happen if someone modifies the outside directory? Is it not committed or is that undefined?

The context directory gets tared before running the inner build, just like docker build today, The inner BUILD effectively operate on a copy: You can really think of it as if you were allowed to run RUN docker build /some/directory in your Dockerfile.

I updated the description, let me know if it still isn't clear.

[shykes]

What's the difference with #7115 other than renaming IN to BUILD?

[proppy]

@shykes in #7115 the first argument to IN scopes and populates the rootfs of the inner build and the context are shared w/ the outer build. With this proposal you explicitly pass a new context to the inner build, and you have to ADD or COPY file from the context to the image, just like a regular docker build.

I will clarify the Description to point out the main difference between #7115 and this one at the top.

[shykes]

I see. Thanks for clarifying.

What about image naming? In your example above, what would be the resulting images?

[proppy]

@shykes (see the notes at the end of the proposal) it wouldn't be different from multiple FROM that are supported today: last build win the tag.

docker build -t would tag the last inner build defined at the end of the Dockerfile, until there is a better support for naming distinct image in Dockerfile (the problem already exists today with multiple FROM)

[chancez]

I would love to see this. It would make it so much easier to run builds where the build environment is one step, and the resulting image you generate could not include all the build artifacts.

[tonistiigi]

I like this proposal very much.

I would even more simplify it and lose the curly braces so that you can switch to a next build step but never come back. I think that its not a good idea to support support multiple build blocks in the same level. Goal of a Dockerfile should be to build a single target image, others should just be helpers.

For the tagging question, I think "last build wins tag" is a good solution. If we would use the linear syntax then the parent builder image could be auto tagged like mytag-builder and mytag-builder-builder.

@shykes I'd be happy to attempt an implementation of this if any of the project maintainers thinks this has a chance end up in upstream.