Building docker images with two Dockerfiles

First we need to write a Dockerfile which is able to fetch and build the project:

FROM fedora:23
RUN dnf install -y git
# this is the private key you DON'T want to get leaked
COPY id_rsa /
# just for the demo; we are not using the key actually
RUN git clone https://github.com/TomasTomecek/sen /project && \
    cd /project && \
    python3 ./setup.py build
    # make clean would make sense here

Let's get the key:

cp -a ~/.ssh/id_rsa id_rsa

and don't forget to blacklist the key in .gitignore!

printf "id_rsa\n" >.gitignore

Build time!

docker build --tag=build-image .

We can copy the build artifact from build container now:

docker create --name=build-container build-image cat
docker cp build-container:/project ./build-artifact

You are free to inspect and post-process the artifact:

ls -lha ./build-artifact

Everything is fine? If so, let's build the final image.

docker build -f Dockerfile.release --tag=sen .

Is the key in final image?

cat ./test-if-key-is-present.sh
if docker run sen test -f /id_rsa
then
  printf "Key is in final image!\n"
  exit 2
else
  printf "Key is not in final image.\n"
fi

./test-if-key-is-present.sh
Key is not in final image

You can also run the whole example by executing

./build.sh

Here's a blog post about this feature.