Ability to access network during build

Question

Ability to access network during build

neverfox opened this issue 7 years ago · 6 comments

Docker build now supports a --network flag that can, for example, let you access docker-compose services running on the host in your build (similar to how you can access the habitus server). Is it or would it be possible to have access to that through a habitus parameter?

Answer 1 · 2017-11-03T07:51:51.000Z

Thank you @neverfox

I think this can definitely be a possible forward as long as it's not only limited to compose (habitus uses Docker daemon directly)

Answer 2 · 2018-03-08T08:07:32.000Z

Hi!

Indeed it isn't docker-compose specific. Actually, I had been suggested by a moby maintainer to try it for a secure secret injection to build context.

Implementation-wise, would introducing a network key in build.yaml would be ok?

Like:

build:
  version: 2016-03-14
  steps:
    test:
      name: test
      dockerfile: Dockerfile
      network: myprivatenet

Answer 3 · 2018-03-08T08:08:55.000Z

@neverfox Oh, btw, what was your concrete use-case for this? Are you trying to inject secrets in a way other than habitat's?

Answer 4 · 2018-03-13T02:39:32.000Z

@neverfox Or perhaps you'd like to run integration tests w/ e.g. mysql inside docker-build?

Answer 5 · 2018-03-15T11:03:52.000Z

Let me say no to my own suggestion above!

Similarly to #87, setting network in build.yml isn't a good practice, as it basically means that your build depends on existence of a specific network. In other words, the network in which a build is run is an operational concern. We shouldn't leak it to build.yml.

More concretely, there might be a shared secret network per project for builds in CI, and a default bridge network for builds in my own machine. Fixing it in build.yml doesn't make sense.

I'd rather suggest to add a -network flag to specify in which docker network the builds are being run.

Answer 6 · 2018-03-15T11:52:54.000Z

I have submitted #94 to address this.