-
Notifications
You must be signed in to change notification settings - Fork 785
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podman history exposes proxy related build args #2937
Comments
To reproduce, extract this archive on a Linux x86 system with GNU make and podman installed: Run Run |
If there's a better way to pass secret values to the build while keeping them out of the image, I'd love to learn it. |
This is work going on with podman secrets, but it is not complete yet. @nalind WDYT? Could you point me at where this information is recorded? |
That's encoded at buildah/imagebuildah/stage_executor.go Line 1028 in 1a04337
docker build does for this case.
|
Should we just not encode the PROXY environment and encode everything else? |
Since you could use volumes or secrets now, you have alternatives that are better then just hacking on environment variables. I am going to close this issue. |
It's correct that my problem is resolved. But the reason why docker hides the proxy-related implicit build args is that they may contain basic auth credentials for an internal proxy. Folks that intend to use podman as a drop-in replacement for docker may unknowingly expose their proxy credentials in the image history. |
A friendly reminder that this issue had no activity for 30 days. |
@ashley-cui what is the state of buildah secrets? |
@rhatdan buildah has the docker compatible RUN secrets: https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information |
@rolweber Would the use of secrets satisfy this issue? |
Not really, see #2937 (comment). The issue exists for people who specify a build-time proxy with basic auth credentials as an implicit build argument. With docker, their credentials are safe. With podman, their credentials appear in the image history. Why should they have to rewrite their Dockerfile to use secrets, if they only want to specify a default proxy for the build? But I'll remember these RUN secrets for my own purposes :-) |
A friendly reminder that this issue had no activity for 30 days. |
@ashley-cui Any update on this? |
Have not gotten to it yet. |
A friendly reminder that this issue had no activity for 30 days. |
@ashley-cui Any time to work on this? |
Probably can get to it this week or the next :) |
A friendly reminder that this issue had no activity for 30 days. |
A friendly reminder that this issue had no activity for 30 days. |
@flouthoc PTAL |
Hi @rolweber , Apologies for late response. Above PR should close this issue and matches |
`Buildkit/Docker` adds variables in pre-allowlist for e.g `proxy variables` to OCI/Docker history only if user explicitly specifies them in Dockerfile using `ARG`. By default variables in pre-allowlist e.g `proxy variables` will be used normally but will not be leaked into `docker/OCI` history of images. A test for following behviour is added with this commit and similar test can be verified against `Docker/Buildkit` Closes: containers#2937 Signed-off-by: Aditya R <[email protected]>
`Buildkit/Docker` adds variables in pre-allowlist for e.g `proxy variables` to OCI/Docker history only if user explicitly specifies them in Dockerfile using `ARG`. By default variables in pre-allowlist e.g `proxy variables` will be used normally but will not be leaked into `docker/OCI` history of images. A test for following behviour is added with this commit and similar test can be verified against `Docker/Buildkit` Closes: containers#2937 Signed-off-by: Aditya R <[email protected]>
`Buildkit/Docker` adds variables in pre-allowlist for e.g `proxy variables` to OCI/Docker history only if user explicitly specifies them in Dockerfile using `ARG`. By default variables in pre-allowlist e.g `proxy variables` will be used normally but will not be leaked into `docker/OCI` history of images. A test for following behviour is added with this commit and similar test can be verified against `Docker/Buildkit` Closes: containers#2937 Signed-off-by: Aditya R <[email protected]>
Description
I'm trying to use
podman build
as a drop-in replacement fordocker build
.I'm (ab)using the no_proxy build arg to pass an API key at build time, which should not be exposed in the image.
With
docker
, no_proxy and other pre-defined build args do not appear in the image history:https://docs.docker.com/engine/reference/builder/#predefined-args
With
podman
, the value of no_proxy appears in the image history. I didn't try the other ones.Steps to reproduce the issue:
podman build -t whatever --build-arg "no-proxy=to-be-kept-secret" .
podman history --no-trunc --format json whatever
I'll add a Dockerfile, shell script and Makefile to reproduce the problem conveniently.
Describe the results you received:
The history shows the value I passed as the
no_proxy
build argument.Describe the results you expected:
The history should not show the value
I passed as the
no_proxy
build argument.Output of
podman version
if reporting apodman build
issue:Output of
cat /etc/*release
:Output of
uname -a
:Output of
cat /etc/containers/storage.conf
:The text was updated successfully, but these errors were encountered: