Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to import ENV from file #5706

Open
davinkevin opened this issue Feb 5, 2025 · 2 comments
Open

Allow to import ENV from file #5706

davinkevin opened this issue Feb 5, 2025 · 2 comments
Labels
status/triage

Comments

@davinkevin
Copy link

davinkevin commented Feb 5, 2025
edited by thaJeztah
Loading

duplicates / older tickets related to this;

Description

Description

Hello 👋

I'd like to report a feature request about a pain point we (and I, in multiple companies) face about ENV.

To detail the problem, we deliver images as a team or company, but sometimes we must have multiple versions of the same image (different base images, different tools inside like nonroot-debug…). If I describe it with an example, it could be like this:

FROM distroless/java:…

COPY app.jar /app.jar
ENV MY_MANDOATORY_JVM_ENV=foo

ENTRYPOINT ["java", "/app.jar"]

But, if we want to deliver a :slim version of the resulting image, we need to do something like this:

FROM distroless/java:… AS standard

COPY app.jar /app.jar
ENV MY_MANDOATORY_JVM_ENV=foo

ENTRYPOINT ["java", "/app.jar"]

FROM chainguard/java:… as slim

COPY --from=standard app.jar /app.jar
ENV MY_MANDOATORY_JVM_ENV=foo

ENTRYPOINT ["java", "/app.jar"]

We see the ENV parameter is duplicated and can't be inherited because the base images are different. For simplicity, we use a multi-stage build with different targets during docker build….

Worse, when a customer of ours wants to alter our images or build their own on top of us (like IronBank for American Defense), everything is done in another CI with no possibility of sharing a Dockerfile.

With that context set, I'd like to ask if a solution could be evaluated to load the ENV variable from an external source. Something like this would solve our problem, for example:

FROM distroless/java:… AS standard

COPY app.jar /app.jar
ENV --from="our-dot-env-file.env"

ENTRYPOINT ["java", "/app.jar"]

FROM chainguard/java:… as slim

COPY --from=standard app.jar /app.jar
ENV --from="our-dot-env-file.env"

ENTRYPOINT ["java", "/app.jar"]

With this approach, we could store in the git repo the our-dot-env-file.env with this content:

MY_MANDOATORY_JVM_ENV=foo

And, with convention, it could be shared with external customers willing to alter our images (for hardening purposes, like done by IronBank, for example).

NOTE This feature is already available in docker run and docker compose, so it being available in docker build would make sense too.

Thank you. I'm available for a call to discuss in-depth cases like this in the system we/I encountered.

Regards

PS: Originally opened here
@thaJeztah
Copy link
Member

I added some of the duplicates to the ticket description. Just to link things together; for inheriting options from "parent" stages, there's also;

@davinkevin
Copy link
Author

Thank you @thaJeztah. I didn't identified them as potential solutions, but you're right they could cover it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thaJeztah @davinkevin