8

I'd like to instruct Docker to COPY my certificates from the local /etc/ folder on my Ubuntu machine.

I get the error:

COPY failed: file not found in build context or excluded by .dockerignore: stat etc/.auth_keys/fullchain.pem: file does not exist

I have not excluded in .dockerignore

How can I do it?

Dockerfile:

FROM nginx:1.21.3-alpine

RUN rm /etc/nginx/conf.d/default.conf
RUN mkdir /etc/nginx/ssl
COPY nginx.conf /etc/nginx/conf.d
COPY ./etc/.auth_keys/fullchain.pem /etc/nginx/ssl/
COPY ./etc/.auth_keys/privkey.pem /etc/nginx/ssl/

WORKDIR /usr/src/app

I have also tried without the dot --> same error

COPY /etc/.auth_keys/fullchain.pem /etc/nginx/ssl/
COPY /etc/.auth_keys/privkey.pem /etc/nginx/ssl/

By placing the folder .auth_keys next to the Dockerfile --> works, but not desireable

COPY /.auth_keys/fullchain.pem /etc/nginx/ssl/
COPY /.auth_keys/privkey.pem /etc/nginx/ssl/
Jaco
  • 1,064
  • 2
  • 7
  • 27
  • 1
    You can only `COPY` files that are located within your local source tree; you'll need to `cp` the files outside Docker space. [How to include files outside of Docker's build context?](https://stackoverflow.com/questions/27068596/how-to-include-files-outside-of-dockers-build-context) discusses this further, though it's impractical to pass the entire host filesystem as the build context. – David Maze Nov 05 '21 at 11:40
  • For the particular case of private keys, you shouldn't `COPY` them into an image, though, since they can be very easily copied back out. The `docker run -v` option or Compose `volumes:` can [inject arbitrary host content into a container](https://docs.docker.com/storage/bind-mounts/) and isn't subject to `COPY`'s path restrictions. – David Maze Nov 05 '21 at 11:42
  • Thanks, very useful and concise answer, May I please ask what a common solution is, to safety handle those keys in a production environment (by a separate script?) – Jaco Nov 05 '21 at 11:43

2 Answers2

12

The docker context is the directory the Dockerfile is located in. If you want to build an image that is one of the restrictions you have to face.

In this documentation you can see how contexts can be switched, but to keep it simple just consider the same directory to be the context. Note; this also doesn't work with symbolic links.

So your observation was correct and you need to place the files you need to copy in the same directory.

Alternatively, if you don't need to copy them but still have them available at runtime you could opt for a mount. I can imagine this not working in your case because you likely need the files at startup of the container.

JustLudo
  • 1,270
  • 9
  • 25
  • 1
    Bind-mounted files will be available at container startup (when the `ENTRYPOINT`/`CMD` runs) but not before (during `RUN` steps). For keys used to sign and encrypt TLS network traffic this is probably fine. – David Maze Nov 05 '21 at 12:25
2

@JustLudo's answer is correct, in this case. However, for those who have the correct files in the build directory and still seeing this issue; remove any trailing comments.

Coming from a C and javascript background, one may be forgiven for assuming that trailing comments are ignored (e.g. COPY my_file /etc/important/ # very important!), but they are not! The error message won't point this out, as of my version of docker (20.10.11).

For example, the above erroneous line will give an error:

COPY failed: file not found in build context or excluded by .dockerignore: stat etc/important/: file does not exist

... i.e. no mention that it is the trailing # important! that is tripping things up.

Hope this helps someone, if needed.

goldfishalpha
  • 184
  • 1
  • 2
  • 11