Docker build image: what are the reasons for not allowing bind-mounts on command-line? it is a security issue?
Use case:
gradle uses the artifact cache under /home/username/.gradle.
Dockerfile:
WORDIR /opt/app/src
COPY . $WORKDIR
gradle build
Running gradle inside a Dockerfile will download all artifacts every time building the image.
docker build -t image1 .
If bind-mount option is supported, the gradle cache on host can be used, and build will speed up tremendously.
docker build -v /home/username/.gradle:/root/.gradle -t image1 .
The option is specified by user on command-line, there should be no security issue.
This is better handled with the buildkit RUN --mount=type=cache,target=/path ... feature (documentation available in their git repo).
The resulting Dockerfile looks like:
# syntax=docker/dockerfile:1
FROM base
WORDIR /opt/app/src
COPY . $WORKDIR
RUN --mount=type=cache,target=/root/.gradle gradle build
The reason to avoid mounting arbitrary folders is that it would add host dependencies into the image build that aren't included in the context (or committed to the git repo). The result is the image may only be able to be built on some machines, or the image might be different depending on where you build it.