Docker compose build time secrets are missing

Question

I want to use a secret duting the build stage of my service.

However I can't seem to find the secret, or any evidence that it exists during the build stage.

I've tried this simple example

docker-compose.yml

services:
  frontend:
    build:
      context: .
      secrets:
        - server_certificate
secrets:
  server_certificate:
    file: ./server.cert

dockerfile:

FROM python:3.7.2-alpine3.8

WORKDIR /app
# print contents of /run directory to build.log
RUN ls -la /run >> build.log
# print env vars to build.log
RUN env >> build.log

RUN /bin/sh

server.cert: secretCert

docker compose run --build frontend cat build.log

[+] Building 1.2s (9/9) FINISHED                                                                                                            
 => [frontend internal] load .dockerignore                                                                                             0.0s
 => => transferring context: 2B                                                                                                        0.0s
 => [frontend internal] load build definition from dockerfile                                                                          0.0s
 => => transferring dockerfile: 145B                                                                                                   0.0s
 => [frontend internal] load metadata for docker.io/library/python:3.7.2-alpine3.8                                                     1.1s
 => [frontend 1/5] FROM docker.io/library/python:3.7.2-alpine3.8@sha256:6930a0325f40f1e2b501b48b5b122278bc578521e2d6b19aaf82b06222020  0.0s
 => CACHED [frontend 2/5] WORKDIR /app                                                                                                 0.0s
 => CACHED [frontend 3/5] RUN ls -la /run >> build.log                                                                                 0.0s
 => CACHED [frontend 4/5] RUN env >> build.log                                                                                         0.0s
 => CACHED [frontend 5/5] RUN /bin/sh                                                                                                  0.0s
 => [frontend] exporting to image                                                                                                      0.0s
 => => exporting layers                                                                                                                0.0s
 => => writing image sha256:589c8835f2dd93c8148bff4f665886a26a205616f1a817c485f8f6a36e0c708a                                           0.0s
 => => naming to docker.io/library/dockersecretinbuild-frontend                                                                        0.0s
total 8
drwxr-xr-x    2 root     root          4096 Mar  6  2019 .
drwxr-xr-x    1 root     root          4096 Aug 24 02:44 ..
PYTHON_PIP_VERSION=19.0.3
SHLVL=1
HOME=/root
GPG_KEY=0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
LANG=C.UTF-8
PYTHON_VERSION=3.7.2
PWD=/app

Then I try build and run the service through compose, there is nothing in the /run directory and no extra entries in the ENV. Where did my secret go?

Docker version 24.0.5, build ced0996

Docker Compose version v2.19.1

I've read the docker docs https://docs.docker.com/compose/compose-file/build/#secrets And this SO question seems close but didn't get me anywhere

Answer 1

Answering my own question.

The dockerfile needs to mount the secret in the same command that it is used.

Ammended dockerfile:

FROM python:3.7.2-alpine3.8

WORKDIR /app
# print contents of /run directory to build.log
RUN --mount=type=secret,id=server-certificate \
   ls -la /run >> build.log

RUN /bin/sh

Run docker compose run --build frontend cat build.log

[+] Building 3.3s (9/9) FINISHED                                                                                                            
 => [frontend internal] load .dockerignore                                                                                             0.0s
 => => transferring context: 2B                                                                                                        0.0s
 => [frontend internal] load build definition from dockerfile                                                                          0.0s
 => => transferring dockerfile: 229B                                                                                                   0.0s
 => [frontend internal] load metadata for docker.io/library/python:3.7.2-alpine3.8                                                     2.8s
 => [frontend auth] library/python:pull token for registry-1.docker.io                                                                 0.0s
 => [frontend stage-0 1/4] FROM docker.io/library/python:3.7.2-alpine3.8@sha256:6930a0325f40f1e2b501b48b5b122278bc578521e2d6b19aaf82b  0.0s
 => CACHED [frontend stage-0 2/4] WORKDIR /app                                                                                         0.0s
 => [frontend stage-0 3/4] RUN --mount=type=secret,id=server-certificate,required    ls -la /run >> build.log                          0.1s
 => [frontend stage-0 4/4] RUN /bin/sh                                                                                                 0.2s
 => [frontend] exporting to image                                                                                                      0.1s
 => => exporting layers                                                                                                                0.0s
 => => writing image sha256:57048d62c0347fdfa6fe73213d391ae0622db0d44bce4f740c3b59013a5027d5                                           0.0s
 => => naming to docker.io/library/dockersecretinbuild-frontend                                                                        0.0s
total 12
drwxr-xr-x    1 root     root          4096 Aug 25 00:11 .
drwxr-xr-x    1 root     root          4096 Aug 25 00:11 ..
drwxr-xr-x    2 root     root          4096 Aug 25 00:11 secrets