search

containers / podman-compose

a script to run docker-compose.yml using podman
GNU General Public License v2.0
4.86k stars 465 forks source link

Environment variables defined in compose file are included in image build #931

Open uosis opened 2 months ago

uosis commented 2 months ago

Describe the bug

Environment variables defined in compose file are included in image build. They should only be defined at runtime.

Aside from being a deviation from docker compose behavior, this is a potential security concern since it is common for those variables to contain secrets.

To Reproduce Dockerfile:

FROM scratch

compose.yaml:

version: "3"
services:
  foo:
    image: foo:latest
    build: .
    environment:
      FOO: bar

podman compose build foo:

STEP 1/2: FROM scratch
STEP 2/2: ENV "FOO"="bar" # note this variable that should not be part of build
COMMIT foo:latest
--> 9f279e6856c7
Successfully tagged localhost/foo:latest

podman image inspect foo:latest|jq '.[0].Config.Env':

[
  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
  "FOO=bar" # note this variable that should not be part of build
]

docker compose behaves correctly:

docker compose build foo
docker image inspect foo:latest|jq '.[0].Config.Env'
[
  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  # note the absence of FOO variable
]

Expected behavior Environment variables defined in compose file should not be included in build.

Actual behavior Environment variables defined in compose file are included in build.

Output

$ podman-compose version
podman-compose version 1.1.0
podman version 5.0.2

Environment: