如何取消设置“ENV"在码头文件? [英] How to unset "ENV" in dockerfile?
问题描述
出于某些原因,我必须在我的 dockerfile 中设置http_proxy"和https_proxy"ENV.我现在想取消设置它们,因为还有一些构建过程无法通过代理完成.
For some certain reasons, I have to set "http_proxy" and "https_proxy" ENV in my dockerfile. I would like to now unset them because there are also some building process can't be done through the proxy.
# dockerfile
# ... some process
ENV http_proxy=http://...
ENV https_proxy=http://...
# ... some process that needs the proxy to finish
UNSET ENV http_proxy # how to I unset the proxy ENV here?
UNSET ENV https_proxy
# ... some process that can't use the proxy
推荐答案
这取决于你想要达到什么效果.
It depends on what effect you are trying to achieve.
请注意,就语用学(即开发人员实际说话的方式)而言,取消设置变量"可能意味着两件事:将其从环境中删除,或将变量设置为空值.从技术上讲,这是两种不同的操作.在实践中,虽然我没有遇到我试图控制的软件区分环境中不存在的变量和环境中存在但设置为空值的变量的情况.我通常可以使用任何一种方法来获得相同的结果.
Note that, as a matter of pragmatics (i.e. how developers actually speak), "unsetting a variable" can mean two things: removing it from the environment, or setting the variable to an empty value. Technically, these are two different operations. In practice though I have not run into a case where the software I'm trying to control differentiates between the variable being absent from the environment, and the variable being present in the environment but set to an empty value. I generally can use either method to get the same result.
对于这种情况,您可以在 Dockerfile 中要取消设置变量的位置处使用 ENV VAR_NAME=.语法说明:Docker 允许 ENV 有两种语法:这个 ENV VAR=1 与 ENV VAR 1 相同.您可以使用空格或等号将变量名称与值分开.当您想通过将变量设置为空值来取消设置"变量时,您必须使用等号语法,否则在构建时会出错.
For this case, you can use ENV VAR_NAME= at the point in your Dockerfile from which you want to unset the variable. Syntactic note: Docker allows two syntaxes for ENV: this ENV VAR=1 is the same as ENV VAR 1. You can separate the variable name from the value with a space or an equal sign. When you want to "unset" a variable by setting it to an empty value you must use the equal sign syntax or you get an error at build time.
例如,你可以这样做:
ENV NOT_SENSITIVE some_value
RUN something
ENV NOT_SENSITIVE=
RUN something_else
something 运行时,NOT_SENSITIVE 设置为 some_value.当 something_else 运行时,NOT_SENSITIVE 被设置为空字符串.
When something runs, NOT_SENSITIVE is set to some_value. When something_else runs, NOT_SENSITIVE is set to the empty string.
请务必注意,将 unset NOT_SENSITIVE 作为 shell 命令执行不会影响除此 shell 中执行的内容之外的任何其他内容. 下面是一个示例:
It is important to note that doing unset NOT_SENSITIVE as a shell command will not affect anything else than what executes in this shell. Here's an example:
ENV NOT_SENSITIVE some_value
RUN unset NOT_SENSITIVE && printenv NOT_SENSITIVE || echo "does not exist"
RUN printenv NOT_SENSITIVE
第一个 RUN 将打印 does not exist 因为 NOT_SENSITIVE 在 printenv 执行时未设置并且因为它是unset printenv 返回一个非零退出代码,它会导致 echo 执行.第二个RUN 不受第一个RUN 中的unset 影响.它会将 some_value 打印到屏幕上.
The first RUN will print does not exist because NOT_SENSITIVE is unset when printenv executes and because it is unset printenv returns a non-zero exit code which causes the echo to execute. The second RUN is not affected by the unset in the first RUN. It will print some_value to the screen.
但是如果我需要从环境中移除变量,而不仅仅是将其设置为空值呢?
But what if I need to remove the variable from the environment, not just set it to an empty value?
在这种情况下,使用 ENV VAR_NAME= 将不起作用.我不知道有什么方法可以告诉 Docker从现在开始,您必须从环境中删除此变量,而不仅仅是将其设置为空值".
In this case using ENV VAR_NAME= won't work. I don't know of any way to tell Docker "from this point on, you must remove this variable from the environment, not just set it to an empty value".
如果您仍想使用 ENV 来设置变量,那么您必须在每个 RUN 开始,您希望在其中使用 unset VAR_NAME,这将只为那个特定的RUN取消设置.
If you still want to use ENV to set your variable, then you'll have to start each RUN in which you want the variable to be unset with unset VAR_NAME, which will unset it for that specific RUN only.
假设该变量包含一个秘密,并且该层可能落入不应该拥有该秘密的人手中.在这种情况下,您不能使用 ENV 来设置变量.使用 ENV 设置的变量被烘焙到它应用的层中,并且不能从这些层中删除.特别是(假设变量名为 SENSITIVE)正在运行
Suppose that variable contains a secret and the layer could fall into the hands of people who should not have the secret. In this case you CANNOT use ENV to set the variable. A variable set with ENV is baked into the layers to which it applies and cannot be removed from those layers. In particular, (assuming the variable is named SENSITIVE) running
RUN unset SENSITIVE
不做任何事情将其从层中移除.上面的 unset 命令只从层中移除 SENSITIVERUN 启动的 shell 进程.它只影响那个外壳.它不会影响由 CMD、ENTRYPOINT 或通过在命令行运行 docker run 提供的任何命令生成的 shell.
does not do anything to remove it from the layer. The unset command above only removes SENSITIVE from the shell process that RUN starts. It affects only that shell. It won't affect shells spawned by CMD, ENTRYPOINT, or any command provided through running docker run at the command line.
为了防止层包含秘密,我会使用 docker build --secret= 和 RUN --mount=type=secret....例如,假设我已经将我的秘密存储在一个名为 sensitive 的文件中,我可以有一个像这样的 RUN:
In order to prevent the layers from containing the secret, I would use docker build --secret= and RUN --mount=type=secret.... For instance, assuming that I've stored my secret in a file named sensitive, I could have a RUN like this:
RUN --mount=type=secret,id=sensitive,target=/root/sensitive
export SENSITIVE=$(cat /root/sensitive)
&& [[... do stuff that requires SENSITIVE ]]
请注意,给 RUN 的命令不需要以 unset SENSITIVE 结尾. 由于进程及其环境的管理方式,在由 RUN 生成的 shell 中设置 SENSITIVE 不会产生超出该 shell 本身生成的任何影响.此 shell 中的环境更改不会影响未来的 shell,也不会影响 Docker 在其创建的层中烘焙的内容.
Note that the command given to RUN does not need to end with unset SENSITIVE. Due to the way processes and their environments are managed, setting SENSITIVE in the shell spawned by RUN does not have any effect beyond what that shell itself spawns. Environment changes in this shell won't affect future shells nor will it affect what Docker bakes into the layers it creates.
然后构建可以运行:
$ DOCKER_BUILDKIT=1 docker build --secret id=secret,src=path/to/sensitive [...]
docker build 命令的环境需要 DOCKER_BUILDKIT=1 才能使用 BuildKit,因为这种传递秘密的方法只有在 Docker 使用 BuildKit 构建镜像时才可用.
The environment for the docker build command needs DOCKER_BUILDKIT=1 to use BuildKit because this method of passing secrets is only available if Docker uses BuildKit to build the images.
这篇关于如何取消设置“ENV"在码头文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
