2

the question has 2 parts, the 1st part: how to add root certificate? is simple and we can have reference from like How do I add a CA root certificate inside a docker image?

the 2nd part, which is what I actually want to ask, is: how to keep the root certificate only in docker build time?

maybe we can use buildctl and RUN --mount=type=secret; but it cannot cover all cases.

say I would like to pass sites with self-signed certificate like:

RUN curl https://x01.self-signed-site/obj01
RUN npm install --registry https://x02.self-signed-site/npm
RUN pip install -i https://x03.self-signed-site/pypi/simple
RUN mvn install
...

thus, we need to config certificate for each tool:

(prepare certificate and prepare .npmrc, .curlrc, ...)
(for, curl, npm, pip, we can use env vars; but we cannot guarantee we can use this way for other tools)

therefore, we need to download self-signed certificate into image and also modify some files to apply the cert config. how to keep the change only in build time (no persistent layer in final image)?

Doz Parp
  • 279
  • 4
  • 23

1 Answers1

0

we resolved this problem by using docker save and docker load; but currently, docker load does not work as we expect (see also how to keep layers when do `docker load`)

anyway, below is our solution in pseudo-code:

docker save -o out.tar <image>
mkdir contents && cd contents
tar xf ../out.tar
open manifest.json, get config <hash>.json as config.json

remove target layers in:
- config.json[history]
- config.json[rootfs][diff_ids]
- manifest.json[0][Layers]

remove layer tarballs (get layer_hashes from maniefst.josn[0][Layers]):
- <layer_hash>/*

fill gap between missing layers:
- <layer_hash_next>/json[parent] = <layer_hash_prev>

tar cf ../new.tar *
docker rmi <image>
docker load -i ../new.tar

ref: https://github.com/stallpool/track-network-traffic/blob/main/bin/docker_image_cleanup.py

Doz Parp
  • 279
  • 4
  • 23