BEGIN/COMMIT syntax for Dockerfile

[burke]

I just brought this up in IRC and @erikh mentioned the idea had been rejected. I'm opening this issue to register our need for this feature. We've gone to a tremendous amount of trouble to work around its non-presence, and I think it would be helpful to a lot of users. Here's why:

1. Layer count limits

We use BTRFS, so this doesn't actually matter to us, but AUFS's limit of 42 layers means that creating a layer for (especially) each piece of metadata can cause some complex images to approach this limit.

2. File size

In the past, we needed the full .git directory available briefly during our build process. Currently we'd have to model this like so with a Dockerfile:

ADD git_repo /app
RUN do_stuff_with_git && rm -rf /app/.git

Unfortunately, ADD and RUN can't occupy the same layer, so the .git directory is a permanent feature of the image hierarchy, adding (for us) 350MB to each image build on our core product.

3. Sensitive information

This is part of our build process:

1. Pass a private key into the container
2. Decrypt some encrypted data stored in the git repo (API tokens and DB passwords, etc.)
3. Perform some action with the encrypted data
4. Discard the decrypted secrets and private key

With the current builder model, this is impossible to do without the private key and plaintext secrets appearing in the final image hierarchy.

In this case we'd have to model the process as:

ADD privatekey /privatekey
RUN decrypt -o /secrets && do_stuff --with /secrets && rm -f /privatekey /secrets

Since ADD and RUN can never occupy the same layer, the private key is stuck in our image hierarchy.

4. Cosmetic

The way people have to chain together long sequences of RUN commands with && feels really awkward.

---

We've written a huge amount of code to work around this limitation. It would certainly simplify our lives if this were accepted as a feature, and I'd be really surprised to hear we're alone.

The implementation I expect makes the most sense is:

RUN a
BEGIN
RUN b
RUN c
RUN d
COMMIT
RUN e

# layers a, b+c+d, e

...however, ignoring the AUFS issues, the only really important thing is some way to be able to run a command after adding files within the same layer.

/cc FYI @graemej @marc-barry @sirupsen @ibawt @tobi

[thaJeztah]

+1. I know there are a lot of proposed changes for this (so this one could be marked as a partial duplicate), but I like the begin/commit (or similar) syntax for its simplicity.

Especially this;

The way people have to chain together long sequences of RUN commands with && feels really awkward.

Having to malform a readable Dockerfile to a hard-to-read Dockerfile, just to work around the limitation of the layering is something I really dislike.

So all in all, I don't know if this is the best proposal (other notations may have their advantages as well), but +1.

[erikh]

FWIW, the original proposal I made had no “BEGIN” statement, just COMMIT and an implicit COMMIT at the EOF. BEGIN is assumed after COMMIT or at beginning of file.

HTH.

On Oct 14, 2014, at 2:40 PM, Burke Libbey notifications@github.com wrote:

I just brought this up in IRC and @erikh mentioned the idea had been rejected. I'm opening this issue to register our need for this feature. We've gone to a tremendous amount of trouble to work around its non-presence, and I think it would be helpful to a lot of users. Here's why:

1. Layer count limits

We use BTRFS, so this doesn't actually matter to us, but AUFS's limit of 42 layers means that creating a layer for (especially) each piece of metadata can cause some complex images to approach this limit.

1. File size

In the past, we needed the full .git directory available briefly during our build process. Currently we'd have to model this like so with a Dockerfile:

ADD git_repo /app
RUN do_stuff_with_git && rm -rf /app/.git
Unfortunately, ADD and RUN can't occupy the same layer, so the .git directory is a permanent feature of the image hierarchy, adding (for us) 350MB to each image build on our core product.

1. Sensitive information

This is part of our build process:

1. Pass a private key into the container
2. Decrypt some encrypted data stored in the git repo (API tokens and DB passwords, etc.)
3. Perform some action with the encrypted data
4. Discard the decrypted secrets and private key
   With the current builder model, this is impossible to do without the private key and plaintext secrets appearing in the final image hierarchy.

In this case we'd have to model the process as:

ADD privatekey /privatekey
RUN decrypt -o /secrets && do_stuff --with /secrets && rm -f /privatekey /secrets
Since ADD and RUN can never occupy the same layer, the private key is stuck in our image hierarchy.

1. Cosmetic

The way people have to chain together long sequences of RUN commands with && feels really awkward.

We've written a huge amount of code to work around this limitation. It would certainly simplify our lives if this were accepted as a feature, and I'd be really surprised to hear we're alone.

The implementation I expect makes the most sense is:

RUN a
BEGIN
RUN b
RUN c
RUN d
COMMIT
RUN e

layers a, b+c+d, e

...however, ignoring the AUFS issues, the only really important thing is some way to be able to run a command after adding files within the same layer.

/cc FYI @graemej @marc-barry @sirupsen @ibawt @tobi

—
Reply to this email directly or view it on GitHub.

[thaJeztah]

The advantage of having an explicit BEGIN is that the parser doesn't have to check the entire Dockerfile up front to see if each instruction should start a new layer or should all be grouped in a single layer.

BEGIN is assumed ..... or at beginning of file.

But (as mentioned above), then Docker would have to "merge" previous layers when it encounters a COMMIT, because it didn't know that the layers had to be grouped together when it started the build?

One thing I'm not sure of, is how Docker would handle caching of individual instructions inside a BEGIN/COMMIT block; would changing one instruction inside such block invalidate all instructions in the block? Even those before the changed instruction? I guess that's the only sensible way, because all those instructions are working in the same layer.

[burke]

Well, right now the cache key is functionally equivalent to:

if command == ADD:
  - parent image ID
  - tarsum of file contents

Others:
  - parent image ID
  - text of command (eg. "RUN apt-get update")

(tarsum basically tars the directory up and takes a sha1sum of it or something similar).

In this scheme, docker could decide whether to use the cache for a layer using a key like:

BEGIN / ...  / COMMIT:
  - parent image ID
  - hash of the complete text of the BEGIN/COMMIT block.
  - tarsum of all files referenced by ADD commands.

[guilhermebr]

+1.
I am come to propose the same thing, using a different key, but BEGIN/COMMIT sounds good.
It's ugly add many && at same instruction... =[

[burke]

So, I think even with #12198, there's still more benefit to be had in this proposal. It would allow for disk and time savings on the machine building the image if it weren't required to actually build all the batched layers, but to be able to apply all the composite operations to a single container, then commit it as one image per COMMIT. However, this is a LOT more invasive in terms of builder modifications, so I'll close this for now.