search

docker / docs

Source repo for Docker's Documentation
https://docs.docker.com
Apache License 2.0
4.17k stars 7.28k forks source link

using an environment variable in a RUN command is not clear. #21335

Open NathanVG opened 1 day ago

NathanVG commented 1 day ago

Is this a docs issue?

Type of issue

I can't find what I'm looking for

Description

I am trying to write a dockerfile to create an image from my blazor frontend project: 

# syntax = docker/dockerfile:1.2

FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /app

# Install Node.js in the .NET SDK container
RUN apt-get update && \
    apt-get install -y curl && \
    curl -fsSL https://deb.nodesource.com/setup_18.x | bash - && \
    apt-get install -y nodejs

COPY Frontend.sln ./
COPY Frontend.csproj ./
COPY ./package.json ./
COPY ./package-lock.json ./

RUN dotnet nuget add source URLREDACTED -u "NotNeccesary" -p $FEED_TOKEN --store-password-in-clear-text --valid-authentication-types "basic"
RUN npm install
RUN dotnet restore
COPY . ./
RUN dotnet publish ./Frontend.csproj -c Release -o out

FROM nginx:1.23.0-alpine
WORKDIR /app
EXPOSE 8080
COPY nginx.conf /etc/nginx/nginx.conf
COPY --from=build /app/out/wwwroot /usr/share/nginx/html

my issue specifically is with this line: RUN dotnet nuget add source URLREDACTED -u "NotNeccesary" -p $FEED_TOKEN --store-password-in-clear-text --valid-authentication-types "basic"

Here I need to pass in a PAT token. Ofcourse I have this token saved in a .env file that is gitignored. However I am not succeeding in passing that token to the RUN command.

docker build --build-arg FEED_TOKEN=TOKENREDACTED -t frontendImage .

I have tried:

Am I missing something? If I hardcode the token everything works, so the dockerfile itself isn't the issue.

Location

https://docs.docker.com/reference/dockerfile/

Suggestion

No response

dvdksn commented 1 day ago

Hello. You should use build secrets for this: https://docs.docker.com/build/building/secrets/

To pass build secrest to RUN you need to:

a) pass the secret to the build command, and b) mount the secret in the Dockerfile RUN instruction

By default, it gets mounted to a file. With the latest versions of BuildKit you can mount it directly to an environment variable, like so:

$ FEED_TOKEN=TOKENREDACTED docker build --secret FEED_TOKEN -t frontendImage .
RUN --mount=type=secret,id=FEED_TOKEN,env=FEED_TOKEN \
    dotnet nuget add source URLREDACTED -u "NotNeccesary" -p $FEED_TOKEN --store-password-in-clear-text --valid-authentication-types "basic"