[feature request] support setting build-time environment variables

[chmeliik]

As developers of a CI system that uses buildah for building (https://konflux-ci.dev/), we have a need to dynamically set environment variables at build time (for the RUN instructions in a Containerfile).¹

We didn't find any great way to achieve that at present. The options we considered:

• --build-arg
  • Requires the ARGs to be defined up-front in the Containerfile (or requires modifying the Container dynamically to inject them)
  • ARGs have a lower precedence than ENV. The Containerfile or the parent image may already be setting the variable via ENV => we're not able to override it
• --env
  • Sets the environment variable in the image config, which we want to avoid. We want to set the environment variables only at build time
• Inject a .env shell script into the build using --volume. Dynamically modify the RUN instructions in the Containerfile to source this shell script before doing the rest of the command(s)
  • This is the option we currently use, despite the problems
  • Modifying the RUN instructions is error-prone. We don't even support all the possible forms (e.g. exec form and heredoc form - related issue)
  • Some users are uncomfortable with having their Containerfile dynamically modified

It would be awesome if we could set build-time environment variables more easily. Some options that could work:

• Buildah currently supports the env array from the engine table in containers.conf. Would it be reasonable to support env from the containers table as well and use these for the RUN environment?
  • Or, would it be reasonable for the [engine.env] variables to propagate to RUN instructions?
• A new --build-env CLI option for buildah build that would set environment variables for RUN instructions but wouldn't set them on the resulting image config.

Footnotes

1. For example, we set GOMODCACHE to a pre-populated cache directory that we mount into the build using --volume. We do a similar thing for Python builds - pointing pip to a directory instead of an index server using PIP_FIND_LINKS. ↩

[flouthoc]

One hack which can be done is dump all the env into a file in contextdir and use
RUN --mount=type=bind,src=myfile.sh,target=myfile.sh,Z source myfile.sh <do other operation>

@chmeliik Any thoughts ?

[chmeliik]

One hack which can be done is dump all the env into a file in contextdir and use RUN --mount=type=bind,src=myfile.sh,target=myfile.sh,Z source myfile.sh <do other operation>

@chmeliik Any thoughts ?

That's pretty much what we currently do

Inject a .env shell script into the build using --volume. Dynamically modify the RUN instructions ...

With the downsides mentioned in the issue description.

For more context: we don't own the Containerfiles we build. A user supplies the Containerfile, and we'd like the ability to set build-time environment variables without having to modify their Containerfile.