[go: up one dir, main page]

{ const container = $el; // The div with overflow const item = document.getElementById('sidebar-current-page') if (item) { const containerTop = container.scrollTop; const containerBottom = containerTop + container.clientHeight; const itemTop = item.offsetTop - container.offsetTop; const itemBottom = itemTop + item.offsetHeight; // Scroll only if the item is out of view if (itemBottom > containerBottom - 200) { container.scrollTop = itemTop - (container.clientHeight / 2 - item.offsetHeight / 2); } } })" class="md:h-[calc(100vh-64px)] fixed md:sticky top-0 md:top-16 z-40 hidden h-screen flex-none overflow-y-auto overflow-x-hidden bg-background-light dark:bg-gray-dark-100 w-full md:z-auto md:block md:w-[300px]" :class="{ 'hidden': ! $store.showSidebar }">

Bake file reference

The Bake file is a file for defining workflows that you run using docker buildx bake.

File format

You can define your Bake file in the following file formats:

  • HashiCorp Configuration Language (HCL)
  • JSON
  • YAML (Compose file)

By default, Bake uses the following lookup order to find the configuration file:

  1. compose.yaml
  2. compose.yml
  3. docker-compose.yml
  4. docker-compose.yaml
  5. docker-bake.json
  6. docker-bake.override.json
  7. docker-bake.hcl
  8. docker-bake.override.hcl

You can specify the file location explicitly using the --file flag:

$ docker buildx bake --file ../docker/bake.hcl --print

If you don't specify a file explicitly, Bake searches for the file in the current working directory. If more than one Bake file is found, all files are merged into a single definition. Files are merged according to the lookup order. That means that if your project contains both a compose.yaml file and a docker-bake.hcl file, Bake loads the compose.yaml file first, and then the docker-bake.hcl file.

If merged files contain duplicate attribute definitions, those definitions are either merged or overridden by the last occurrence, depending on the attribute. The following attributes are overridden by the last occurrence:

  • target.cache-to
  • target.dockerfile-inline
  • target.dockerfile
  • target.outputs
  • target.platforms
  • target.pull
  • target.tags
  • target.target

For example, if compose.yaml and docker-bake.hcl both define the tags attribute, the docker-bake.hcl is used.

$ cat compose.yaml
services:
  webapp:
    build:
      context: .
      tags:
        - bar
$ cat docker-bake.hcl
target "webapp" {
  tags = ["foo"]
}
$ docker buildx bake --print webapp
{
  "group": {
    "default": {
      "targets": [
        "webapp"
      ]
    }
  },
  "target": {
    "webapp": {
      "context": ".",
      "dockerfile": "Dockerfile",
      "tags": [
        "foo"
      ]
    }
  }
}

All other attributes are merged. For example, if compose.yaml and docker-bake.hcl both define unique entries for the labels attribute, all entries are included. Duplicate entries for the same label are overridden.

$ cat compose.yaml
services:
  webapp:
    build:
      context: .
      labels: 
        com.example.foo: "foo"
        com.example.name: "Alice"
$ cat docker-bake.hcl
target "webapp" {
  labels = {
    "com.example.bar" = "bar"
    "com.example.name" = "Bob"
  }
}
$ docker buildx bake --print webapp
{
  "group": {
    "default": {
      "targets": [
        "webapp"
      ]
    }
  },
  "target": {
    "webapp": {
      "context": ".",
      "dockerfile": "Dockerfile",
      "labels": {
        "com.example.foo": "foo",
        "com.example.bar": "bar",
        "com.example.name": "Bob"
      }
    }
  }
}

Syntax

The Bake file supports the following property types:

  • target: build targets
  • group: collections of build targets
  • variable: build arguments and variables
  • function: custom Bake functions

You define properties as hierarchical blocks in the Bake file. You can assign one or more attributes to a property.

The following snippet shows a JSON representation of a simple Bake file. This Bake file defines three properties: a variable, a group, and a target.

{
  "variable": {
    "TAG": {
      "default": "latest"
    }
  },
  "group": {
    "default": {
      "targets": ["webapp"]
    }
  },
  "target": {
    "webapp": {
      "dockerfile": "Dockerfile",
      "tags": ["docker.io/username/webapp:${TAG}"]
    }
  }
}

In the JSON representation of a Bake file, properties are objects, and attributes are values assigned to those objects.

The following example shows the same Bake file in the HCL format:

variable "TAG" {
  default = "latest"
}

group "default" {
  targets = ["webapp"]
}

target "webapp" {
  dockerfile = "Dockerfile"
  tags = ["docker.io/username/webapp:${TAG}"]
}

HCL is the preferred format for Bake files. Aside from syntactic differences, HCL lets you use features that the JSON and YAML formats don't support.

The examples in this document use the HCL format.

Target

A target reflects a single docker build invocation. Consider the following build command:

$ docker build \
  --file=Dockerfile.webapp \
  --tag=docker.io/username/webapp:latest \
  https://github.com/username/webapp

You can express this command in a Bake file as follows:

target "webapp" {
  dockerfile = "Dockerfile.webapp"
  tags = ["docker.io/username/webapp:latest"]
  context = "https://github.com/username/webapp"
}

The following table shows the complete list of attributes that you can assign to a target:

NameTypeDescription
argsMapBuild arguments
annotationsListExporter annotations
attestListBuild attestations
cache-fromListExternal cache sources
cache-toListExternal cache destinations
contextStringSet of files located in the specified path or URL
contextsMapAdditional build contexts
dockerfile-inlineStringInline Dockerfile string
dockerfileStringDockerfile location
inheritsListInherit attributes from other targets
labelsMapMetadata for images
matrixMapDefine a set of variables that forks a target into multiple targets.
nameStringOverride the target name when using a matrix.
no-cache-filterListDisable build cache for specific stages
no-cacheBooleanDisable build cache completely
outputListOutput destinations
platformsListTarget platforms
pullBooleanAlways pull images
secretListSecrets to expose to the build
shm-sizeListSize of /dev/shm
sshListSSH agent sockets or keys to expose to the build
tagsListImage names and tags
targetStringTarget build stage
ulimitsListUlimit options

target.args

Use the args attribute to define build arguments for the target. This has the same effect as passing a --build-arg flag to the build command.

target "default" {
  args = {
    VERSION = "0.0.0+unknown"
  }
}

You can set args attributes to use null values. Doing so forces the target to use the ARG value specified in the Dockerfile.

variable "GO_VERSION" {
  default = "1.20.3"
}

target "webapp" {
  dockerfile = "webapp.Dockerfile"
  tags = ["docker.io/username/webapp"]
}

target "db" {
  args = {
    GO_VERSION = null
  }
  dockerfile = "db.Dockerfile"
  tags = ["docker.io/username/db"]
}

target.annotations

The annotations attribute lets you add annotations to images built with bake. The key takes a list of annotations, in the format of KEY=VALUE.

target "default" {
  output = ["type=image,name=foo"]
  annotations = ["org.opencontainers.image.authors=dvdksn"]
}

is the same as

target "default" {
  output = ["type=image,name=foo,annotation.org.opencontainers.image.authors=dvdksn"]
}

By default, the annotation is added to image manifests. You can configure the level of the annotations by adding a prefix to the annotation, containing a comma-separated list of all the levels that you want to annotate. The following example adds annotations to both the image index and manifests.

target "default" {
  output = ["type=image,name=foo"]
  annotations = ["index,manifest:org.opencontainers.image.authors=dvdksn"]
}

Read about the supported levels in Specifying annotation levels.

target.attest

The attest attribute lets you apply build attestations to the target. This attribute accepts the long-form CSV version of attestation parameters.

target "default" {
  attest = [
    "type=provenance,mode=min",
    "type=sbom"
  ]
}

target.cache-from

Build cache sources. The builder imports cache from the locations you specify. It uses the Buildx cache storage backends, and it works the same way as the --cache-from flag. This takes a list value, so you can specify multiple cache sources.

target "app" {
  cache-from = [
    "type=s3,region=eu-west-1,bucket=mybucket",
    "user/repo:cache",
  ]
}

target.cache-to

Build cache export destinations. The builder exports its build cache to the locations you specify. It uses the Buildx cache storage backends, and it works the same way as the --cache-to flag. This takes a list value, so you can specify multiple cache export targets.

target "app" {
  cache-to = [
    "type=s3,region=eu-west-1,bucket=mybucket",
    "type=inline"
  ]
}

target.context

Specifies the location of the build context to use for this target. Accepts a URL or a directory path. This is the same as the build context positional argument that you pass to the build command.

target "app" {
  context = "./src/www"
}

This resolves to the current working directory (".") by default.

$ docker buildx bake --print -f - <<< 'target "default" {}'
[+] Building 0.0s (0/0)
{
  "target": {
    "default": {
      "context": ".",
      "dockerfile": "Dockerfile"
    }
  }
}

target.contexts

Additional build contexts. This is the same as the --build-context flag. This attribute takes a map, where keys result in named contexts that you can reference in your builds.

You can specify different types of contexts, such local directories, Git URLs, and even other Bake targets. Bake automatically determines the type of a context based on the pattern of the context value.

Context typeExample
Container imagedocker-image://alpine@sha256:0123456789
Git URLhttps://github.com/user/proj.git
HTTP URLhttps://example.com/files
Local directory../path/to/src
Bake targettarget:base

Pin an image version

# docker-bake.hcl
target "app" {
    contexts = {
        alpine = "docker-image://alpine:3.13"
    }
}
# Dockerfile
FROM alpine
RUN echo "Hello world"

Use a local directory

# docker-bake.hcl
target "app" {
    contexts = {
        src = "../path/to/source"
    }
}
# Dockerfile
FROM scratch AS src
FROM golang
COPY --from=src . .

Use another target as base

Note

You should prefer to use regular multi-stage builds over this option. You can Use this feature when you have multiple Dockerfiles that can't be easily merged into one.

# docker-bake.hcl
target "base" {
    dockerfile = "baseapp.Dockerfile"
}
target "app" {
    contexts = {
        baseapp = "target:base"
    }
}
# Dockerfile
FROM baseapp
RUN echo "Hello world"

target.dockerfile-inline

Uses the string value as an inline Dockerfile for the build target.

target "default" {
  dockerfile-inline = "FROM alpine\nENTRYPOINT [\"echo\", \"hello\"]"
}

The dockerfile-inline takes precedence over the dockerfile attribute. If you specify both, Bake uses the inline version.

target.dockerfile

Name of the Dockerfile to use for the build. This is the same as the --file flag for the docker build command.

target "default" {
  dockerfile = "./src/www/Dockerfile"
}

Resolves to "Dockerfile" by default.

$ docker buildx bake --print -f - <<< 'target "default" {}'
[+] Building 0.0s (0/0)
{
  "target": {
    "default": {
      "context": ".",
      "dockerfile": "Dockerfile"
    }
  }
}

target.entitlements

Entitlements are permissions that the build process requires to run.

Currently supported entitlements are:

  • network.host: Allows the build to use commands that access the host network. In Dockerfile, use RUN --network=host to run a command with host network enabled.

  • security.insecure: Allows the build to run commands in privileged containers that are not limited by the default security sandbox. Such container may potentially access and modify system resources. In Dockerfile, use RUN --security=insecure to run a command in a privileged container.

target "integration-tests" {
  # this target requires privileged containers to run nested containers
  entitlements = ["security.insecure"]
}

Entitlements are enabled with a two-step process. First, a target must declare the entitlements it requires. Secondly, when invoking the bake command, the user must grant the entitlements by passing the --allow flag or confirming the entitlements when prompted in an interactive terminal. This is to ensure that the user is aware of the possibly insecure permissions they are granting to the build process.

target.inherits

A target can inherit attributes from other targets. Use inherits to reference from one target to another.

In the following example, the app-dev target specifies an image name and tag. The app-release target uses inherits to reuse the tag name.

variable "TAG" {
  default = "latest"
}

target "app-dev" {
  tags = ["docker.io/username/myapp:${TAG}"]
}

target "app-release" {
  inherits = ["app-dev"]
  platforms = ["linux/amd64", "linux/arm64"]
}

The inherits attribute is a list, meaning you can reuse attributes from multiple other targets. In the following example, the app-release target reuses attributes from both the app-dev and _release targets.

target "app-dev" {
  args = {
    GO_VERSION = "1.20"
    BUILDX_EXPERIMENTAL = 1
  }
  tags = ["docker.io/username/myapp"]
  dockerfile = "app.Dockerfile"
  labels = {
    "org.opencontainers.image.source" = "https://github.com/username/myapp"
  }
}

target "_release" {
  args = {
    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
    BUILDX_EXPERIMENTAL = 0
  }
}

target "app-release" {
  inherits = ["app-dev", "_release"]
  platforms = ["linux/amd64", "linux/arm64"]
}

When inheriting attributes from multiple targets and there's a conflict, the target that appears last in the inherits list takes precedence. The previous example defines the BUILDX_EXPERIMENTAL argument twice for the app-release target. It resolves to 0 because the _release target appears last in the inheritance chain:

$ docker buildx bake --print app-release
[+] Building 0.0s (0/0)
{
  "group": {
    "default": {
      "targets": [
        "app-release"
      ]
    }
  },
  "target": {
    "app-release": {
      "context": ".",
      "dockerfile": "app.Dockerfile",
      "args": {
        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
        "BUILDX_EXPERIMENTAL": "0",
        "GO_VERSION": "1.20"
      },
      "labels": {
        "org.opencontainers.image.source": "https://github.com/username/myapp"
      },
      "tags": [
        "docker.io/username/myapp"
      ],
      "platforms": [
        "linux/amd64",
        "linux/arm64"
      ]
    }
  }
}

target.labels

Assigns image labels to the build. This is the same as the --label flag for docker build.

target "default" {
  labels = {
    "org.opencontainers.image.source" = "https://github.com/username/myapp"
    "com.docker.image.source.entrypoint" = "Dockerfile"
  }
}

It's possible to use a null value for labels. If you do, the builder uses the label value specified in the Dockerfile.

target.matrix

A matrix strategy lets you fork a single target into multiple different variants, based on parameters that you specify. This works in a similar way to [Matrix strategies for GitHub Actions]. You can use this to reduce duplication in your bake definition.

The matrix attribute is a map of parameter names to lists of values. Bake builds each possible combination of values as a separate target.

Each generated target must have a unique name. To specify how target names should resolve, use the name attribute.

The following example resolves the app target to app-foo and app-bar. It also uses the matrix value to define the target build stage.

target "app" {
  name = "app-${tgt}"
  matrix = {
    tgt = ["foo", "bar"]
  }
  target = tgt
}
$ docker buildx bake --print app
[+] Building 0.0s (0/0)
{
  "group": {
    "app": {
      "targets": [
        "app-foo",
        "app-bar"
      ]
    },
    "default": {
      "targets": [
        "app"
      ]
    }
  },
  "target": {
    "app-bar": {
      "context": ".",
      "dockerfile": "Dockerfile",
      "target": "bar"
    },
    "app-foo": {
      "context": ".",
      "dockerfile": "Dockerfile",
      "target": "foo"
    }
  }
}

Multiple axes

You can specify multiple keys in your matrix to fork a target on multiple axes. When using multiple matrix keys, Bake builds every possible variant.

The following example builds four targets:

  • app-foo-1-0
  • app-foo-2-0
  • app-bar-1-0
  • app-bar-2-0
target "app" {
  name = "app-${tgt}-${replace(version, ".", "-")}"
  matrix = {
    tgt = ["foo", "bar"]
    version = ["1.0", "2.0"]
  }
  target = tgt
  args = {
    VERSION = version
  }
}

Multiple values per matrix target

If you want to differentiate the matrix on more than just a single value, you can use maps as matrix values. Bake creates a target for each map, and you can access the nested values using dot notation.

The following example builds two targets:

  • app-foo-1-0
  • app-bar-2-0
target "app" {
  name = "app-${item.tgt}-${replace(item.version, ".", "-")}"
  matrix = {
    item = [
      {
        tgt = "foo"
        version = "1.0"
      },
      {
        tgt = "bar"
        version = "2.0"
      }
    ]
  }
  target = item.tgt
  args = {
    VERSION = item.version
  }
}

target.name

Specify name resolution for targets that use a matrix strategy. The following example resolves the app target to app-foo and app-bar.

target "app" {
  name = "app-${tgt}"
  matrix = {
    tgt = ["foo", "bar"]
  }
  target = tgt
}

target.network

Specify the network mode for the whole build request. This will override the default network mode for all the RUN instructions in the Dockerfile. Accepted values are default, host, and none.

Usually, a better approach to set the network mode for your build steps is to instead use RUN --network=<value> in your Dockerfile. This way, you can set the network mode for individual build steps and everyone building the Dockerfile gets consistent behavior without needing to pass additional flags to the build command.

If you set network mode to host in your Bake file, you must also grant network.host entitlement when invoking the bake command. This is because host network mode requires elevated privileges and can be a security risk. You can pass --allow=network.host to the docker buildx bake command to grant the entitlement, or you can confirm the entitlement when prompted if you are using an interactive terminal.

target "app" {
  # make sure this build does not access internet
  network = "none"
}

target.no-cache-filter

Don't use build cache for the specified stages. This is the same as the --no-cache-filter flag for docker build. The following example avoids build cache for the foo build stage.

target "default" {
  no-cache-filter = ["foo"]
}

target.no-cache

Don't use cache when building the image. This is the same as the --no-cache flag for docker build.

target "default" {
  no-cache = 1
}

target.output

Configuration for exporting the build output. This is the same as the --output flag. The following example configures the target to use a cache-only output,

target "default" {
  output = ["type=cacheonly"]
}

target.platforms

Set target platforms for the build target. This is the same as the --platform flag. The following example creates a multi-platform build for three architectures.

target "default" {
  platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7"]
}

target.pull

Configures whether the builder should attempt to pull images when building the target. This is the same as the --pull flag for docker build. The following example forces the builder to always pull all images referenced in the build target.

target "default" {
  pull = true
}

target.secret

Defines secrets to expose to the build target. This is the same as the --secret flag.

variable "HOME" {
  default = null
}

target "default" {
  secret = [
    "type=env,id=KUBECONFIG",
    "type=file,id=aws,src=${HOME}/.aws/credentials"
  ]
}

This lets you mount the secret in your Dockerfile.

RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \
    aws cloudfront create-invalidation ...
RUN --mount=type=secret,id=KUBECONFIG,env=KUBECONFIG \
    helm upgrade --install

target.shm-size

Sets the size of the shared memory allocated for build containers when using RUN instructions.

The format is <number><unit>. number must be greater than 0. Unit is optional and can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). If you omit the unit, the system uses bytes.

This is the same as the --shm-size flag for docker build.

target "default" {
  shm-size = "128m"
}

Note

In most cases, it is recommended to let the builder automatically determine the appropriate configurations. Manual adjustments should only be considered when specific performance tuning is required for complex build scenarios.

target.ssh

Defines SSH agent sockets or keys to expose to the build. This is the same as the --ssh flag. This can be useful if you need to access private repositories during a build.

target "default" {
  ssh = ["default"]
}
FROM alpine
RUN --mount=type=ssh \
    apk add git openssh-client \
    && install -m 0700 -d ~/.ssh \
    && ssh-keyscan github.com >> ~/.ssh/known_hosts \
    && git clone git@github.com:user/my-private-repo.git

target.tags

Image names and tags to use for the build target. This is the same as the --tag flag.

target "default" {
  tags = [
    "org/repo:latest",
    "myregistry.azurecr.io/team/image:v1"
  ]
}

target.target

Set the target build stage to build. This is the same as the --target flag.

target "default" {
  target = "binaries"
}

target.ulimits

Ulimits overrides the default ulimits of build's containers when using RUN instructions and are specified with a soft and hard limit as such: <type>=<soft limit>[:<hard limit>], for example:

target "app" {
  ulimits = [
    "nofile=1024:1024"
  ]
}

Note

If you do not provide a hard limit, the soft limit is used for both values. If no ulimits are set, they are inherited from the default ulimits set on the daemon.

Note

In most cases, it is recommended to let the builder automatically determine the appropriate configurations. Manual adjustments should only be considered when specific performance tuning is required for complex build scenarios.

Group

Groups allow you to invoke multiple builds (targets) at once.

group "default" {
  targets = ["db", "webapp-dev"]
}

target "webapp-dev" {
  dockerfile = "Dockerfile.webapp"
  tags = ["docker.io/username/webapp:latest"]
}

target "db" {
  dockerfile = "Dockerfile.db"
  tags = ["docker.io/username/db"]
}

Groups take precedence over targets, if both exist with the same name. The following bake file builds the default group. Bake ignores the default target.

target "default" {
  dockerfile-inline = "FROM ubuntu"
}

group "default" {
  targets = ["alpine", "debian"]
}
target "alpine" {
  dockerfile-inline = "FROM alpine"
}
target "debian" {
  dockerfile-inline = "FROM debian"
}

Variable

The HCL file format supports variable block definitions. You can use variables as build arguments in your Dockerfile, or interpolate them in attribute values in your Bake file.

variable "TAG" {
  default = "latest"
}

target "webapp-dev" {
  dockerfile = "Dockerfile.webapp"
  tags = ["docker.io/username/webapp:${TAG}"]
}

You can assign a default value for a variable in the Bake file, or assign a null value to it. If you assign a null value, Buildx uses the default value from the Dockerfile instead.

You can override variable defaults set in the Bake file using environment variables. The following example sets the TAG variable to dev, overriding the default latest value shown in the previous example.

$ TAG=dev docker buildx bake webapp-dev

Built-in variables

The following variables are built-ins that you can use with Bake without having to define them.

VariableDescription
BAKE_CMD_CONTEXTHolds the main context when building using a remote Bake file.
BAKE_LOCAL_PLATFORMReturns the current platform’s default platform specification (e.g. linux/amd64).

Use environment variable as default

You can set a Bake variable to use the value of an environment variable as a default value:

variable "HOME" {
  default = "$HOME"
}

Interpolate variables into attributes

To interpolate a variable into an attribute string value, you must use curly brackets. The following doesn't work:

variable "HOME" {
  default = "$HOME"
}

target "default" {
  ssh = ["default=$HOME/.ssh/id_rsa"]
}

Wrap the variable in curly brackets where you want to insert it:

  variable "HOME" {
    default = "$HOME"
  }

  target "default" {
-   ssh = ["default=$HOME/.ssh/id_rsa"]
+   ssh = ["default=${HOME}/.ssh/id_rsa"]
  }

Before you can interpolate a variable into an attribute, first you must declare it in the bake file, as demonstrated in the following example.

$ cat docker-bake.hcl
target "default" {
  dockerfile-inline = "FROM ${BASE_IMAGE}"
}
$ docker buildx bake
[+] Building 0.0s (0/0)
docker-bake.hcl:2
--------------------
   1 |     target "default" {
   2 | >>>   dockerfile-inline = "FROM ${BASE_IMAGE}"
   3 |     }
   4 |
--------------------
ERROR: docker-bake.hcl:2,31-41: Unknown variable; There is no variable named "BASE_IMAGE"., and 1 other diagnostic(s)
$ cat >> docker-bake.hcl

variable "BASE_IMAGE" {
  default = "alpine"
}

$ docker buildx bake
[+] Building 0.6s (5/5) FINISHED

Function

A set of general-purpose functions provided by go-cty are available for use in HCL files:

# docker-bake.hcl
target "webapp-dev" {
  dockerfile = "Dockerfile.webapp"
  tags = ["docker.io/username/webapp:latest"]
  args = {
    buildno = "${add(123, 1)}"
  }
}

In addition, user defined functions are also supported:

# docker-bake.hcl
function "increment" {
  params = [number]
  result = number + 1
}

target "webapp-dev" {
  dockerfile = "Dockerfile.webapp"
  tags = ["docker.io/username/webapp:latest"]
  args = {
    buildno = "${increment(123)}"
  }
}

Note

See User defined HCL functions page for more details.