mount config file into existing docker image

#1

I have a docker image on docker hub with an app I’d like people to start on their own.
This app needs a config file, potentially > 2MB.
What’s the idiomatic way of allowing people to “mount” this file into the container without having them rebuild the whole container?

I could imagine base64 encode the content and set it as env variable / secret. But I assume there are some size limits?

Is there a more convenient way where you can specify a file in the fly.toml and mount it into the filesystem of the container, just like docker compose?

#2

There are some low limits on the secret size now (4k last time I checked). Mounting files from the host is not possible currently.

Another way you could do this, though a bit cumbersome: use your Docker entrypoint script to fetch the config file from a URL. If you wanted to keep that config file within your Fly setup, it could be stored in:

  • the globally available Consul store, though that may also have size limits
  • Another Fly app that serves static content
#3

We don’t have a great solution for that right now.

There is a limit of about 512KB IIRC, but that’s just the limit of our secrets store, there might be other limits at play.

I believe it’s subject to the same limit, yes.

It might be possible with a multi-stage deploy to avoid rebuilding too much. Or just putting the COPY in the dockerfile at the very end?

Even if we had a way to mount files at runtime, you’d probably need a deploy to update that.

You could mount a fuse s3fs from your entrypoint (if the file can live on S3-compatible storage). There are performances considerations here, and it might just be easier to periodically pull from S3 instead.

#4

Consul limit is also 512K. It can be changed but that could affect stability.

Another approach - avoiding dependencies on external stores for every change - is to add a volume to instances and store the fetched config there.

Would another option be feasible by exposing Nomad’s template stanza and artifacts combined with interpolated secrets from the environment? For example:

[[config_files]]
  source = "https://config.dev/file.conf"
  target = "/etc/file.conf"
  restart_signal = "SIGINT"

Yes this is a feature request :laughing:

In theory, this approach could also extract the template config file from within the Docker container using whatever magic handles statics today instead of fetching it from a remote source.