Predefined build-time arguments persisting in the resulting image.

[maynep]

Description

Predefined ARG HTTP_PROXY and HTTPS_PROXY are persisting in the resulting image. Security risk if proxy requires username and password.

Steps to reproduce the issue:

1. docker build using --build-arg HTTP_PROXY=http://username:password@proxy.thing.com:8080/
2. docker run -ti

Describe the results you received:
$ echo $HTTP_PROXY
http://username:password@proxy.thing.com:8080/

Describe the results you expected:
$ echo $HTTP_PROXY

Additional information you deem important (e.g. issue happens only occasionally):
Repeatable

Output of docker version:

$ docker version
Client:
 Version:      1.13.0
 API version:  1.25
 Go version:   go1.7.3
 Git commit:   49bf474
 Built:        Wed Jan 18 16:20:26 2017
 OS/Arch:      windows/amd64

Server:
 Version:      1.13.0
 API version:  1.25 (minimum version 1.12)
 Go version:   go1.7.3
 Git commit:   49bf474
 Built:        Wed Jan 18 16:20:26 2017
 OS/Arch:      linux/amd64
 Experimental: true

Output of docker info:

$ docker info
Containers: 13
 Running: 0
 Paused: 0
 Stopped: 13
Images: 4
Server Version: 1.13.0
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 55
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 03e5862ec0d8d3b3f750e19fca3ee367e13c090e
runc version: 2f7393a47307a16f8cee44a37b262e8b81021e3e
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.4-moby
Operating System: Alpine Linux v3.5
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 2.669 GiB
Name: moby
ID: ZQNT:ZJL4:KAGX:4RUB:ZLRE:XY72:MNHL:FJYD:AQSO:XPLY:O7EV:LXZZ
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Http Proxy: <removed>
Https Proxy: <removed>
No Proxy: <removed>
Registry: https://index.docker.io/v1/
Experimental: true
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):
Running Docker for Windows

[alexellis]

👍 @maynep I also found something similar with the docker history command. It prevents me from wanting to push any images produced on the corp network with build-args to the public Hub. We don't want to leak the details of our proxy servers to the internet (we don't hard-code the password, but IP/port/DNS could be sensitive)

@justincormack / @dave-tucker

Any thoughts whether this is hard/easy to mask/remove after using --build-arg?

I cannot reproduce the error @maynep is describing though, there is no proxy variable set when I start the container below.

Build with proxy

[alex@nuc d1]$ docker build --build-arg http_proxy=http://192.168.0.1:3128 -t alpineweb .

Watch build.. then check history

Sending build context to Docker daemon 2.048 kB
Step 1 : FROM alpine
 ---> 70c557e50ed6
Step 2 : RUN apk --update add nginx
 ---> Running in 8581534d11e3
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/community/x86_64/APKINDEX.tar.gz
(1/3) Installing nginx-initscripts (1.8.0-r0)
Executing nginx-initscripts-1.8.0-r0.pre-install
(2/3) Installing pcre (8.38-r1)
(3/3) Installing nginx (1.8.1-r1)
Executing busybox-1.24.1-r7.trigger
OK: 6 MiB in 14 packages
 ---> a434e63c51e2
Removing intermediate container 8581534d11e3
Successfully built a434e63c51e2
[alex@nuc d1]$ docker history alpineweb
IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
a434e63c51e2        8 seconds ago       |1 http_proxy=http://192.168.0.1:3128 /bin/s   2.207 MB            
70c557e50ed6        11 months ago       /bin/sh -c #(nop) ADD file:81ba6f20bdb99e6c13   4.794 MB            
[alex@nuc d1]$ 

Dockerfile:

FROM alpine

RUN apk --update add nginx

Tested on Docker 1.12.3 on Linux and Docker 1.13 on DfM.

[justincormack]

Cc @dave-tucker

…

On 4 Feb 2017 11:14 a.m., "Alex Ellis" ***@***.***> wrote: 👍 I also found this and it prevents me from wanting to push any images produced with build-args to the public Hub. We don't want to leak the details of our proxy servers to the internet. Any thoughts whether this is hard/easy to mask/remove after using --build-arg @justincormack <https://github.com/justincormack> ? The other place it shows up is on docker history. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#30721 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAdcPHuDNmPVrw5odZVnYCjEdRMQNwcwks5rZE-MgaJpZM4L2kjC> .

[thaJeztah]

Build args show up in the image history as a prefix to each RUN command's instruction (see the output of docker history), which is documented; https://docs.docker.com/engine/reference/builder/#/arg, and the reason they are not intended to contain confidential information.

These variables wont persist in the image as an environment variable though, unless they are are used in (e.g.) an ENV instruction.

What @maynep may be seeing, is that Docker for Mac / Docker for Windows automatically sets *_proxy environment variables when running images as well

[paddy-hack]

@thaJeztah Documenting it is good but it still sucks if your behind an authenticating proxy 😞

Maybe that #30637 can be of help but that would sure get rather ugly

RUN https_proxy=$(cat /run/secrets/https_proxy 2>/dev/null); \
    curl <url>

It would work both with and without the secret available though so is portable.

[dave-tucker]

I think this should be fixed by #31584

[thaJeztah]

Yes; this will be in 17.05