After reading Can I access a file in the intermediate layer of docker image? I learned that if the id of intermediate layer is known, files to be deleted in further layer are not concealed. This is what told "Don’t do this!" in Don’t leak your Docker image’s build secrets.
But in the above links it looks like the threat only exists if a build log leaks and thanks to buildkit intermediate layer id is no longer revealed, so I understand that there’s no threat in build phase. Then, is it possible to retrieve layer id from published image by user, by docker inspect
for example?
Added
Apologies not to being clarified, I’m talking about layer id which is able to be specified in docker run -it <layer_id>
. My concern is a possibility of running container on certain layer and leakage of files’ content.
As mentioned in Can I access a file in the intermediate layer of docker image? when building image without BuildKit intermediate layer id is revealed, can be specified in docker run -it
so the files are all accessible. But layer ids retrieved by docker inspect
cannot be specified; it results "Error response from daemon: No such image".
Added
More specifically. You build image by this Dockerfile then can you read the content of .env
?
FROM alpine:latest
ADD .env /.env
RUN rm /.env
2
Answers
Yes. You can, for example, show all layer IDs with
docker inspect <image name> -f '{{.RootFS.Layers}}'
.It’s not that the intermediate layer ID is no longer revealed. The layer ID must be revealed for Docker’s layer caching to work. The reason why BuildKit is more secure is that it gives you options for using secrets besides copying the secrets into the image. If you don’t use those options, then BuildKit is no more secure than the previous system.
You can do this using
dive
utility, even if you don’t know the id of the intermediate layers.Installation instructions: https://github.com/wagoodman/dive#installation
You can build your image as usual, and then you can run:
and then you can dive into each intermediate layers, and see the directory structure.