Open geekflyer opened 5 years ago
@yiranwang52 @evelynl94 Any thoughts on this one? This is blocking some of our repos from adopting makisu unfortunately.
This is tricky a question. Makisu treats the envs passed in via flag and envs in Dockerfile the same, and hence a step in Dockerfile can overwrite the value. I'm not sure if we want to make them distinguishable because Makisu should not make too many assumptions about the environment imo.
For your users, should /path/inside/dockerfile/key.json
be included in the final image? Is it possible to use mount as a workaround?
yes, for our use case the key.json
should be included in the image (we know that this is generally not best practice, but this is a special case and the key has very few privileges).
As for the general env behaviour of makisu: Do the makisu build steps always automatically inherit the environment of the makisu caller? Isn't this a bit of a security and separation concern?
In docker we always have to explicitly use -e
to propagate environment vars into the builder layers.
I think if makisu (intentional or not) merges the caller with the layer environment this design decision and the behaviour should be documented somewhere as this will otherwise lead to a lot of weird surprises of some users (like me) down the road.
For the short term I think it would be definately better if things like the credential helpers use an immutable "copy" of the environment at the beginning of the makisu invocation and not allow this environment to get mutated by the docker layers. It's fine to have the layers inherit the makisu environment, but not allow overriding each other.
As for the general env behaviour of makisu: Do the makisu build steps always automatically inherit the environment of the makisu caller?
I believe so.
For the short term I think it would be definately better if things like the credential helpers use an immutable "copy" of the environment at the beginning of the makisu invocation and not allow this environment to get mutated by the docker layers.
Yea we actually have discussed splitting fetch-build-push into separated and isolated phases, because we have concerns in including all different credHelpers in our images and setting up environments for them. But no work has been done on that front yet.
Hi,
I noticed a very strange bug, where Makisu invokes the GCR credential helper with environment variables set in ENV sections in the Dockerfile instead of Makisu's own environment variables.
This breaks builds where a Dockerfile sets an environment variable that is also used by the credential helper, like
GOOGLE_APPLICATION_CREDENTIALS
, effectively creating a conflict.Consider this example:
Dockerfile
:Create a GCP service account key with
roles/storage.admin
access to the GCR GCS bucket and save it underkey.json
in the same working directory as theDockerfile
Run this command to attempt building and pushing the image to GCR
The build will fail with a message similar to this:
error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: open /path/inside/dockerfile/key.json: no such file or directory
.As you can see the credential helper receives the environment variable:
GOOGLE_APPLICATION_CREDENTIALS=/path/inside/container/key.json
but the correct one would be:GOOGLE_APPLICATION_CREDENTIALS=/makisu-context/key.json
.The detailed error message is below:
If I remove the line
from the Dockerfile, the build and push succeeds.
Summary
As you can see from the example Makisu is somehow invoking the docker-credential-gcr/helper with environment variables defined in the Dockerfile, which is almost certainly a bug and not how it should work.
The docker-credential-gcr helper should only inherit the environment variables being passed to makisu and not the ones defined in the Dockerfile.
We have some apps which set the GOOGLE_APPLICATION_CREDENTIALS environment variable in their Dockerfile and if they do so it completely breaks the makisu build.