So I got asked about this topic after my DevConf 2016
talk:
there is a
solution
available on internets which describes how one can use two dockerfiles to build
an image. Whole article can be found
here.
What I didn’t like about the solution is that the first image outputs whole
build artifact as a tarball to standard output. To me that’s a bit hacky. Since
docker 1.8 you can cp
files and directories between containers and host.
Let’s try to do that!
All of this is because of build secrets. It may happen that you need to
authenticate with an external service when building a docker image. In order to
do that, you need to have a secret available during build. That’s a problem.
This key may leak into a final image (whether via docker history
or will be
available directly in some layer).
Here’s a solution!
Split your build process into two steps, each step represents its own dockerfile.
-
Authenticate with external service in order to fetch sources (use private
SSH key to authenticate with GitHub so you can clone a repo) and build the
project.
-
Get build artifacts from step 1 and install them.
…