I recently started using Buildkit to hide some env vars, and it worked great in prod by gha!
My Dockerfile now is something like this:
# syntax=docker/dockerfile:1.2
...
RUN --mount=type=secret,id=my_secret,uid=1000 \
MY_SECRET=$(cat /run/secrets/my_secret) \
&& export MY_SECRET
And my front was something like this:
DOCKER_BUILDKIT=1 docker build \
--secret id=my_secret,env="MY_SECRET"
And when I run this on my Github actions, it works perfectly.
But now, the problem here is when I try to build it locally. When performing a docker-compose build
it fails. Of course, because I'm not passing in any secret so my backend (Dockerfile) won't be able to read it from run/secrets/
.
What I've tried to do, so far, to accomplish the local build using docker-compose build
:
1. Working with Docker secrets:
I basically tried doing:
$ docker swarm init
$ echo "my_secret_value" docker secret create my_secret -
I thought that saving a secret would fix the problem but didn't work. I still got the same error message:
cat: can't open '/run/secrets/my_secret': No such file or directory
version: '3'
services:
app:
build:
context: "."
args:
- "MY_SECRET"
secrets:
- my_secret
secrets:
my_secret:
external: true
version: '3'
services:
app:
build:
context: "."
args:
- "MY_SECRET"
secrets:
- my_secret
secrets:
my_secret:
file: ./my_secret.txt
args:
- secret=id=my_secret,src=./my_secret.txt
But still got the same error:
cat: can't open '/run/secrets/my_secret': No such file or directory
What am I doing wrong to successfully perform a docker-compose build
?
I'm aware that I can easily use two Dockerfiles, a Dockerfile to build in local and a Dockerfile to build in prod but I just want to use Buildkit as it is, by only modifying my docker-compose.yml
file.
Does anyone have an idea about what am I missing to be able to build locally reading from /run/secrets/
?
Support for this was recently implemented in v2. See the below pull requests.
The provided example looks like this:
services:
frontend:
build:
context: .
secrets:
- server-certificate
secrets:
server-certificate:
file: ./server.cert
So you are close, but you have to add the secret key under the build key.
Also keep in mind that you have to use docker compose
instead of docker-compose
, in order to use v2 which is built into the docker client.