mount config file into existing docker image

I have a docker image on docker hub with an app I’d like people to start on their own.
This app needs a config file, potentially > 2MB.
What’s the idiomatic way of allowing people to “mount” this file into the container without having them rebuild the whole container?

I could imagine base64 encode the content and set it as env variable / secret. But I assume there are some size limits?

Is there a more convenient way where you can specify a file in the fly.toml and mount it into the filesystem of the container, just like docker compose?

There are some low limits on the secret size now (4k last time I checked). Mounting files from the host is not possible currently.

Another way you could do this, though a bit cumbersome: use your Docker entrypoint script to fetch the config file from a URL. If you wanted to keep that config file within your Fly setup, it could be stored in:

  • the globally available Consul store, though that may also have size limits
  • Another Fly app that serves static content

We don’t have a great solution for that right now.

There is a limit of about 512KB IIRC, but that’s just the limit of our secrets store, there might be other limits at play.

I believe it’s subject to the same limit, yes.


It might be possible with a multi-stage deploy to avoid rebuilding too much. Or just putting the COPY in the dockerfile at the very end?

Even if we had a way to mount files at runtime, you’d probably need a deploy to update that.

You could mount a fuse s3fs from your entrypoint (if the file can live on S3-compatible storage). There are performances considerations here, and it might just be easier to periodically pull from S3 instead.

Consul limit is also 512K. It can be changed but that could affect stability.

Another approach - avoiding dependencies on external stores for every change - is to add a volume to instances and store the fetched config there.

Would another option be feasible by exposing Nomad’s template stanza and artifacts combined with interpolated secrets from the environment? For example:

[[config_files]]
  source = "https://config.dev/file.conf"
  target = "/etc/file.conf"
  restart_signal = "SIGINT"

Yes this is a feature request :laughing:

In theory, this approach could also extract the template config file from within the Docker container using whatever magic handles statics today instead of fetching it from a remote source.