In Docker Build, build arguments (ARG
) and environment variables (ENV
)
both serve as a means to pass information into the build process.
You can use them to parameterize the build, allowing for more flexible and configurable builds.
[!WARNING]
Build arguments and environment variables are inappropriate for passing secrets to your build, because they're exposed in the final image. Instead, use secret mounts or SSH mounts, which expose secrets to your builds securely.
See Build secrets for more information.
Similarities and differences#
Build arguments and environment variables are similar.
They're both declared in the Dockerfile and can be set using flags for the docker build
command.
Both can be used to parameterize the build.
But they each serve a distinct purpose.
Build arguments#
Build arguments are variables for the Dockerfile itself. Use them to parameterize values of Dockerfile instructions. For example, you might use a build argument to specify the version of a dependency to install.
Build arguments have no effect on the build unless it's used in an instruction. They're not accessible or present in containers instantiated from the image unless explicitly passed through from the Dockerfile into the image filesystem or configuration. They may persist in the image metadata, as provenance attestations and in the image history, which is why they're not suitable for holding secrets.
They make Dockerfiles more flexible, and easier to maintain.
For an example on how you can use build arguments,
see ARG
usage example.
Environment variables#
Environment variables are passed through to the build execution environment, and persist in containers instantiated from the image.
Environment variables are primarily used to:
- Configure the execution environment for builds
- Set default environment variables for containers
Environment variables, if set, can directly influence the execution of your build, and the behavior or configuration of the application.
You can't override or set an environment variable at build-time. Values for environment variables must be declared in the Dockerfile. You can combine environment variables and build arguments to allow environment variables to be configured at build-time.
For an example on how to use environment variables for configuring builds,
see ENV
usage example.
ARG
usage example#
Build arguments are commonly used to specify versions of components, such as image variants or package versions, used in a build.
Specifying versions as build arguments lets build with different versions without having to manually update the Dockerfile. It also makes it easier to maintain the Dockerfile, since it lets you declare versions at the top of the file.
Build arguments can also be a way to reuse a value in multiple places.
For example, if you use multiple flavors of alpine
in your build,
you can ensure you're using the same version of alpine
everywhere:
golang:1.22-alpine${ALPINE_VERSION}
python:3.12-alpine${ALPINE_VERSION}
nginx:1-alpine${ALPINE_VERSION}
The following example defines the version of node
and alpine
using build arguments.
# syntax=docker/dockerfile:1
ARG NODE_VERSION="\{\{\% param example_node_version \%\}\}"
ARG ALPINE_VERSION="\{\{\% param example_alpine_version \%\}\}"
FROM node:${NODE_VERSION}-alpine${ALPINE_VERSION} AS base
WORKDIR /src
FROM base AS build
COPY package*.json ./
RUN npm ci
RUN npm run build
FROM base AS production
COPY package*.json ./
RUN npm ci --omit=dev && npm cache clean --force
COPY --from=build /src/dist/ .
CMD ["node", "app.js"]
In this case, the build arguments have default values.
Specifying their values when you invoke a build is optional.
To override the defaults, you would use the --build-arg
CLI flag:
$ docker build --build-arg NODE_VERSION=current .
For more information on how to use build arguments, refer to:
ENV
usage example#
Declaring an environment variable with ENV
makes the variable
available to all subsequent instructions in the build stage.
The following example shows an example setting NODE_ENV
to production
before installing JavaScript dependencies with npm
.
Setting the variable makes npm
omits packages needed only for local development.
# syntax=docker/dockerfile:1
FROM node:20
WORKDIR /app
COPY package*.json ./
ENV NODE_ENV=production
RUN npm ci && npm cache clean --force
COPY . .
CMD ["node", "app.js"]
Environment variables aren't configurable at build-time by default.
If you want to change the value of an ENV
at build-time,
you can combine environment variables and build arguments:
# syntax=docker/dockerfile:1
FROM node:20
ARG NODE_ENV=production
ENV NODE_ENV=$NODE_ENV
WORKDIR /app
COPY package*.json ./
RUN npm ci && npm cache clean --force
COPY . .
CMD ["node", "app.js"]
With this Dockerfile, you can use --build-arg
to override the default value of ENV
:
$ docker build --build-arg NODE_ENV=development .
Note that, because the environment variables you set persist in containers, using them can lead to unintended side-effects for the application's runtime.
For more information on how to use environment variables in builds, refer to:
Scoping#
Build arguments declared in the global scope of a Dockerfile aren't automatically inherited into the build stages. They're only accessible in the global scope.
# syntax=docker/dockerfile:1
# The following build argument is declared in the global scope:
ARG NAME="joe"
FROM alpine
# The following instruction doesn't have access to the $NAME build argument
# because the argument was defined in the global scope, not for this stage.
RUN echo "hello ${NAME}!"
The echo
command in this example evaluates to hello !
because the value of the NAME
build argument is out of scope.
To inherit global build arguments into a stage, you must consume them:
# syntax=docker/dockerfile:1
# Declare the build argument in the global scope
ARG NAME="joe"
FROM alpine
# Consume the build argument in the build stage
ARG NAME
RUN echo $NAME
Once a build argument is declared or consumed in a stage, it's automatically inherited by child stages.
# syntax=docker/dockerfile:1
FROM alpine AS base
# Declare the build argument in the build stage
ARG NAME="joe"
# Create a new stage based on "base"
FROM base AS build
# The NAME build argument is available here
# since it's declared in a parent stage
RUN echo "hello $NAME!"
The following diagram further exemplifies how build argument and environment variable inheritance works for multi-stage builds.
{ { < figure src="../../images/build-variables.svg" class="invertible" > } }
Pre-defined build arguments#
This section describes pre-defined build arguments available to all builds by default.
Multi-platform build arguments#
Multi-platform build arguments describe the build and target platforms for the build.
The build platform is the operating system, architecture, and platform variant of the host system where the builder (the BuildKit daemon) is running.
BUILDPLATFORM
BUILDOS
BUILDARCH
BUILDVARIANT
The target platform arguments hold the same values for the target platforms for the build,
specified using the --platform
flag for the docker build
command.
TARGETPLATFORM
TARGETOS
TARGETARCH
TARGETVARIANT
These arguments are useful for doing cross-compilation in multi-platform builds. They're available in the global scope of the Dockerfile, but they aren't automatically inherited by build stages. To use them inside stage, you must declare them:
# syntax=docker/dockerfile:1
# Pre-defined build arguments are available in the global scope
FROM --platform=$BUILDPLATFORM golang
# To inherit them to a stage, declare them with ARG
ARG TARGETOS
RUN GOOS=$TARGETOS go build -o ./exe .
For more information about multi-platform build arguments, refer to Multi-platform arguments
Proxy arguments#
Proxy build arguments let you specify proxies to use for your build.
You don't need to declare or reference these arguments in the Dockerfile.
Specifying a proxy with --build-arg
is enough to make your build use the proxy.
Proxy arguments are automatically excluded from the build cache
and the output of docker history
by default.
If you do reference the arguments in your Dockerfile,
the proxy configuration ends up in the build cache.
The builder respects the following proxy build arguments. The variables are case insensitive.
HTTP_PROXY
HTTPS_PROXY
FTP_PROXY
NO_PROXY
ALL_PROXY
To configure a proxy for your build:
$ docker build --build-arg HTTP_PROXY=https://my-proxy.example.com .
For more information about proxy build arguments, refer to Proxy arguments.
Build tool configuration variables#
The following environment variables enable, disable, or change the behavior of Buildx and BuildKit.
Note that these variables aren't used to configure the build container;
they aren't available inside the build and they have no relation to the ENV
instruction.
They're used to configure the Buildx client, or the BuildKit daemon.
Variable | Type | Description |
---|---|---|
BUILDKIT_COLORS | String | Configure text color for the terminal output. |
BUILDKIT_HOST | String | Specify host to use for remote builders. |
BUILDKIT_PROGRESS | String | Configure type of progress output. |
BUILDKIT_TTY_LOG_LINES | String | Number of log lines (for active steps in TTY mode). |
BUILDX_BAKE_GIT_AUTH_HEADER | String | HTTP authentication scheme for remote Bake files. |
BUILDX_BAKE_GIT_AUTH_TOKEN | String | HTTP authentication token for remote Bake files. |
BUILDX_BAKE_GIT_SSH | String | SSH authentication for remote Bake files. |
BUILDX_BUILDER | String | Specify the builder instance to use. |
BUILDX_CONFIG | String | Specify location for configuration, state, and logs. |
BUILDX_EXPERIMENTAL | Boolean | Turn on experimental features. |
BUILDX_GIT_CHECK_DIRTY | Boolean | Enable dirty Git checkout detection. |
BUILDX_GIT_INFO | Boolean | Remove Git information in provenance attestations. |
BUILDX_GIT_LABELS | String | Boolean | Add Git provenance labels to images. |
BUILDX_NO_DEFAULT_ATTESTATIONS | Boolean | Turn off default provenance attestations. |
BUILDX_NO_DEFAULT_LOAD | Boolean | Turn off loading images to image store by default. |
EXPERIMENTAL_BUILDKIT_SOURCE_POLICY | String | Specify a BuildKit source policy file. |
BuildKit also supports a few additional configuration parameters. Refer to BuildKit built-in build args.
You can express Boolean values for environment variables in different ways.
For example, true
, 1
, and T
all evaluate to true.
Evaluation is done using the strconv.ParseBool
function in the Go standard library.
See the reference documentation for details.
BUILDKIT_COLORS#
Changes the colors of the terminal output. Set BUILDKIT_COLORS
to a CSV string
in the following format:
$ export BUILDKIT_COLORS="run=123,20,245:error=yellow:cancel=blue:warning=white"
Color values can be any valid RGB hex code, or one of the BuildKit predefined colors.
Setting NO_COLOR
to anything turns off colorized output, as recommended by
no-color.org.
BUILDKIT_HOST#
{ { < introduced buildx 0.9.0 "../release-notes.md#090" > } }
You use the BUILDKIT_HOST
to specify the address of a BuildKit daemon to use
as a remote builder. This is the same as specifying the address as a positional
argument to docker buildx create
.
Usage:
$ export BUILDKIT_HOST=tcp://localhost:1234
$ docker buildx create --name=remote --driver=remote
If you specify both the BUILDKIT_HOST
environment variable and a positional
argument, the argument takes priority.
BUILDKIT_PROGRESS#
Sets the type of the BuildKit progress output. Valid values are:
auto
(default)plain
tty
rawjson
Usage:
$ export BUILDKIT_PROGRESS=plain
BUILDKIT_TTY_LOG_LINES#
You can change how many log lines are visible for active steps in TTY mode by
setting BUILDKIT_TTY_LOG_LINES
to a number (default to 6
).
$ export BUILDKIT_TTY_LOG_LINES=8
EXPERIMENTAL_BUILDKIT_SOURCE_POLICY#
Lets you specify a BuildKit source policy file for creating reproducible builds with pinned dependencies.
$ export EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=./policy.json
Example:
{
"rules": [
{
"action": "CONVERT",
"selector": {
"identifier": "docker-image://docker.io/library/alpine:latest"
},
"updates": {
"identifier": "docker-image://docker.io/library/alpine:latest@sha256:4edbd2beb5f78b1014028f4fbb99f3237d9561100b6881aabbf5acce2c4f9454"
}
},
{
"action": "CONVERT",
"selector": {
"identifier": "https://raw.githubusercontent.com/moby/buildkit/v0.10.1/README.md"
},
"updates": {
"attrs": {"http.checksum": "sha256:6e4b94fc270e708e1068be28bd3551dc6917a4fc5a61293d51bb36e6b75c4b53"}
}
},
{
"action": "DENY",
"selector": {
"identifier": "docker-image://docker.io/library/golang*"
}
}
]
}
BUILDX_BAKE_GIT_AUTH_HEADER#
{ { < introduced buildx 0.14.0 > } }
Sets the HTTP authentication scheme when using a remote Bake definition in a private Git repository.
This is equivalent to the GIT_AUTH_HEADER
secret,
but facilitates the pre-flight authentication in Bake when loading the remote Bake file.
Supported values are bearer
(default) and basic
.
Usage:
$ export BUILDX_BAKE_GIT_AUTH_HEADER=basic
BUILDX_BAKE_GIT_AUTH_TOKEN#
{ { < introduced buildx 0.14.0 > } }
Sets the HTTP authentication token when using a remote Bake definition in a private Git repository.
This is equivalent to the GIT_AUTH_TOKEN
secret,
but facilitates the pre-flight authentication in Bake when loading the remote Bake file.
Usage:
$ export BUILDX_BAKE_GIT_AUTH_TOKEN=$(cat git-token.txt)
BUILDX_BAKE_GIT_SSH#
{ { < introduced buildx 0.14.0 > } }
Lets you specify a list of SSH agent socket filepaths to forward to Bake for authenticating to a Git server when using a remote Bake definition in a private repository. This is similar to SSH mounts for builds, but facilitates the pre-flight authentication in Bake when resolving the build definition.
Setting this environment is typically not necessary, because Bake will use the SSH_AUTH_SOCK
agent socket by default.
You only need to specify this variable if you want to use a socket with a different filepath.
This variable can take multiple paths using a comma-separated string.
Usage:
$ export BUILDX_BAKE_GIT_SSH=/run/foo/listener.sock,~/.creds/ssh.sock
BUILDX_BUILDER#
Overrides the configured builder instance. Same as the docker buildx --builder
CLI flag.
Usage:
$ export BUILDX_BUILDER=my-builder
BUILDX_CONFIG#
You can use BUILDX_CONFIG
to specify the directory to use for build
configuration, state, and logs. The lookup order for this directory is as
follows:
$BUILDX_CONFIG
$DOCKER_CONFIG/buildx
~/.docker/buildx
(default)
Usage:
$ export BUILDX_CONFIG=/usr/local/etc
BUILDX_EXPERIMENTAL#
Enables experimental build features.
Usage:
$ export BUILDX_EXPERIMENTAL=1
BUILDX_GIT_CHECK_DIRTY#
{ { < introduced buildx 0.10.4 "../release-notes.md#0104" > } }
When set to true, checks for dirty state in source control information for provenance attestations.
Usage:
$ export BUILDX_GIT_CHECK_DIRTY=1
BUILDX_GIT_INFO#
{ { < introduced buildx 0.10.0 "../release-notes.md#0100" > } }
When set to false, removes source control information from provenance attestations.
Usage:
$ export BUILDX_GIT_INFO=0
BUILDX_GIT_LABELS#
{ { < introduced buildx 0.10.0 "../release-notes.md#0100" > } }
Adds provenance labels, based on Git information, to images that you build. The labels are:
com.docker.image.source.entrypoint
: Location of the Dockerfile relative to the project rootorg.opencontainers.image.revision
: Git commit revisionorg.opencontainers.image.source
: SSH or HTTPS address of the repository
Example:
"Labels": {
"com.docker.image.source.entrypoint": "Dockerfile",
"org.opencontainers.image.revision": "5734329c6af43c2ae295010778cd308866b95d9b",
"org.opencontainers.image.source": "[email protected]:foo/bar.git"
}
Usage:
- Set
BUILDX_GIT_LABELS=1
to include theentrypoint
andrevision
labels. - Set
BUILDX_GIT_LABELS=full
to include all labels.
If the repository is in a dirty state, the revision
gets a -dirty
suffix.
BUILDX_NO_DEFAULT_ATTESTATIONS#
{ { < introduced buildx 0.10.4 "../release-notes.md#0104" > } }
By default, BuildKit v0.11 and later adds
provenance attestations to images you
build. Set BUILDX_NO_DEFAULT_ATTESTATIONS=1
to disable the default provenance
attestations.
Usage:
$ export BUILDX_NO_DEFAULT_ATTESTATIONS=1
BUILDX_NO_DEFAULT_LOAD#
When you build an image using the docker
driver, the image is automatically
loaded to the image store when the build finishes. Set BUILDX_NO_DEFAULT_LOAD
to disable automatic loading of images to the local container store.
Usage:
$ export BUILDX_NO_DEFAULT_LOAD=1