I have a docker image on docker hub with an app I’d like people to start on their own.
This app needs a config file, potentially > 2MB.
What’s the idiomatic way of allowing people to “mount” this file into the container without having them rebuild the whole container?
I could imagine base64 encode the content and set it as env variable / secret. But I assume there are some size limits?
Is there a more convenient way where you can specify a file in the fly.toml and mount it into the filesystem of the container, just like docker compose?
There are some low limits on the secret size now (4k last time I checked). Mounting files from the host is not possible currently.
Another way you could do this, though a bit cumbersome: use your Docker entrypoint script to fetch the config file from a URL. If you wanted to keep that config file within your Fly setup, it could be stored in:
the globally available Consul store, though that may also have size limits
We don’t have a great solution for that right now.
There is a limit of about 512KB IIRC, but that’s just the limit of our secrets store, there might be other limits at play.
I believe it’s subject to the same limit, yes.
It might be possible with a multi-stage deploy to avoid rebuilding too much. Or just putting the COPY in the dockerfile at the very end?
Even if we had a way to mount files at runtime, you’d probably need a deploy to update that.
You could mount a fuse s3fs from your entrypoint (if the file can live on S3-compatible storage). There are performances considerations here, and it might just be easier to periodically pull from S3 instead.
Another approach - avoiding dependencies on external stores for every change - is to add a volume to instances and store the fetched config there.
Would another option be feasible by exposing Nomad’s template stanza and artifacts combined with interpolated secrets from the environment? For example:
In theory, this approach could also extract the template config file from within the Docker container using whatever magic handles statics today instead of fetching it from a remote source.