[trenchpilgrim]

If you are adding security keys and git repos to your final shipped image you are doing things very wrong - a container image is literally a tarball and some metadata about how to run the executables inside. Even if you need that data to build your application you should use a multi-stage build to include only the final artifacts in the image you ship.

For stuff like security keys you should typically add them as build --args-- secrets, not as content in the image.

[Ysx]

> For stuff like security keys you should typically add them as build args, not as content in the image.

Build args are content in the image: https://docs.docker.com/reference/build-checks/secrets-used-...

[hiddew]

> For stuff like security keys you should typically add them as build args, not as content in the image.

Do not use build arguments for anything secret. The values are committed into the image layers.

[never_inline]

Yep. The only valid usecase I think of is using the secret for something else, eg connecting to an internal package registry, in which case the secret mounts may help.

[tecleandor]

Yeah, typically, but in this case they're commiting and commiting in the container image, and saving changes from running software. Not only that, they're commiting log files into the image, which is crazy.

The thing here is they're using Docker container images like if they were VM disks and they end up with images with almost 300 layers, like in this case. I think LXC or VMs should be a better case for this (but I don't know if they've tested it or why are they using Docker)

[cowsandmilk]

That’s nice, but you still shouldn’t be looking into your customer’s containers.

[adastra22]

How else do they diagnose issues? Sorry to break it to you, this is absolutely standard across the entire industry.

[stackskipton]

Evict the containers, let the customer know and get customer approval to work with their images.

[trenchpilgrim]

What about this case where the container was working but was consuming overhead due to an infrastructure issue? Customer hasn't done anything wrong. If you stop their containers they'll likely leave for a competitor.

[adastra22]

You have approval in the terms of service. This is absolutely known and expected across the entire industry. It's why your employees have clauses in their contracts about respecting third party confidentiality.