Skip to main content
Version: 2.23 (prerelease)

docker_image


The docker_image target describes how to build and tag a Docker image.

Any dependencies, as inferred or explicitly specified, will be included in the Docker build context, after being packaged if applicable.

By default, it will use a Dockerfile from the same directory as the BUILD file this target is defined in. Point at another file with the source field, or use the instructions field to have the Dockerfile contents verbatim directly in the BUILD file.

Dependencies on upstream/base images defined by another docker_image are inferred if referenced by a build argument with a default value of the target address.

Example:

# src/docker/downstream/Dockerfile
ARG BASE=src/docker/upstream:image
FROM $BASE
...

Backend: pants.backend.docker


build_network

str | None
default: None

Sets the networking mode for the run commands during build. Supported standard values are: bridge, host, none, and container:<name|id>. Any other value is taken as a custom network's name to which the container should connect to.

build_platform

Iterable[str] | None
default: None

Set the target platform(s) for the build.

cache_from

list | None
default: None

Use external cache sources when building the image.

This option requires BuildKit to be enabled via the Docker subsystem options.

Example:

docker_image(
name="example-local-cache-backend",
cache_to={
"type": "local",
"dest": "/tmp/docker-cache/primary"
},
cache_from=[
{
"type": "local",
"src": "/tmp/docker-cache/primary"
},
{
"type": "local",
"src": "/tmp/docker-cache/secondary"
}
]
)

Values may use placeholders in curly braces to be interpolated. The placeholders are derived from various sources, such as the Dockerfile instructions and build args.

cache_to

Dict[str, str] | None
default: None

Export image build cache to an external cache destination.

Note that Docker supports multiple cache sources - Pants will pass these as multiple --cache_from arguments to the Docker CLI. Docker will only use the first cache hit (i.e. the image exists) in the build.

This option requires BuildKit to be enabled via the Docker subsystem options.

Example:

docker_image(
name="example-local-cache-backend",
cache_to={
"type": "local",
"dest": "/tmp/docker-cache/example"
},
cache_from=[{
"type": "local",
"src": "/tmp/docker-cache/example"
}]
)

Values may use placeholders in curly braces to be interpolated. The placeholders are derived from various sources, such as the Dockerfile instructions and build args.

context_root

str | None
default: None

Specify which directory to use as the Docker build context root. This affects the file paths to use for the COPY and ADD instructions. For example, whether COPY files/f.txt should look for the file relative to the build root: <build root>/files/f.txt vs relative to the BUILD file: <build root>/path_to_build_file/files/f.txt.

Specify the context_root path as files for relative to build root, or as ./files for relative to the BUILD file.

If context_root is not specified, it defaults to [docker].default_context_root.

dependencies

Iterable[str] | None
default: None

Addresses to other targets that this target depends on, e.g. ['helloworld/subdir:lib', 'helloworld/main.py:lib', '3rdparty:reqs#django'].

This augments any dependencies inferred by Pants, such as by analyzing your imports. Use pants dependencies or pants peek on this target to get the final result.

See https://www.pantsbuild.org/2.23/docs/using-pants/key-concepts/targets-and-build-files for more about how addresses are formed, including for generated targets. You can also run pants list :: to find all addresses in your project, or pants list dir to find all addresses defined in that directory.

If the target is in the same BUILD file, you can leave off the BUILD file path, e.g. :tgt instead of helloworld/subdir:tgt. For generated first-party addresses, use ./ for the file path, e.g. ./main.py:tgt; for all other generated targets, use :tgt#generated_name.

You may exclude dependencies by prefixing with !, e.g. ['!helloworld/subdir:lib', '!./sibling.txt']. Ignores are intended for false positives with dependency inference; otherwise, simply leave off the dependency from the BUILD file.

description

str | None
default: None

A human-readable description of the target.

Use pants list --documented :: to see all targets with descriptions.

extra_build_args

Iterable[str] | None
default: ()

Build arguments (--build-arg) to use when building this image. Entries are either strings in the form ARG_NAME=value to set an explicit value; or just ARG_NAME to copy the value from Pants's own environment.

Use [docker].build_args to set default build args for all images.

extra_build_hosts

Dict[str, str] | None
default: None

Extra hosts entries to be added to a container's /etc/hosts file.

Use [docker].build_hosts to set default host entries for all images.

extra_run_args

Iterable[str] | None
default: ()

Extra arguments to pass into the invocation of docker run. These are in addition to those at the [docker].run_args

image_labels

Dict[str, str] | None
default: None

Provide image metadata.

Label value may use placeholders in curly braces to be interpolated. The placeholders are derived from various sources, such as the Dockerfile instructions and build args.

See Docker labels for more information.

image_tags

Iterable[str] | None
default: ('latest',)

Any tags to apply to the Docker image name (the version is usually applied as a tag).

tag may use placeholders in curly braces to be interpolated. The placeholders are derived from various sources, such as the Dockerfile instructions and build args.

See https://www.pantsbuild.org/2.23/docs/docker/tagging-docker-images.

instructions

Iterable[str] | None
default: None

The Dockerfile content, typically one instruction per list item.

Use the source field instead if you prefer having the Dockerfile in your source tree.

Example:

# example/BUILD
docker_image(
instructions=[
"FROM base/image:1.0",
"RUN echo example",
],
)

output

Dict[str, str] | None
default: FrozenDict({'type': 'docker'})

Sets the export action for the build result.

This option requires BuildKit to be enabled via the Docker subsystem options.

When using pants publish to publish Docker images to a registry, the output type must be 'docker', as publish expects that the built images exist in the local image store.

Values may use placeholders in curly braces to be interpolated. The placeholders are derived from various sources, such as the Dockerfile instructions and build args.

output_path

str | None
default: '${spec_path_normalized}/${target_name_normalized}${file_suffix}'

Where the built asset should be located.

This field supports the following template replacements:

  • ${spec_path_normalized}: The path to the target's directory ("spec path") with forward slashes replaced by dots.

  • ${target_name_normalized}: The target's name with paramaterizations escaped by replacing dots with underscores.

  • ${file_suffix}: For target's which produce single file artifacts, this is the file type suffix to use with a leading dot, and is empty otherwise when not applicable.

If undefined, this will use the path to the BUILD file, followed by the target name. For example, src/python/project:app would be src.python.project/app.ext. This behavior corresponds to the default template: ${spec_path_normalized}/${target_name_normalized}${file_suffix}

When running pants package, this path will be prefixed by --distdir (e.g. dist/).

Warning: setting this value risks naming collisions with other package targets you may have.

pull

bool
default: False

If true, then docker will always attempt to pull a newer version of the image.

NOTE: This option cannot be used on images that build off of "transitive" base images referenced by address (i.e. FROM path/to/your/base/Dockerfile).

registries

Iterable[str] | None
default: ('<all default registries>',)

List of addresses or configured aliases to any Docker registries to use for the built image.

The address is a domain name with optional port for your registry, and any registry aliases are prefixed with @ for addresses in the [docker].registries configuration section.

By default, all configured registries with default = true are used.

Example:

# pants.toml
[docker.registries.my-registry-alias]
address = "myregistrydomain:port"
default = false # optional

# example/BUILD
docker_image(
registries = [
"@my-registry-alias",
"myregistrydomain:port",
],
)

The above example shows two valid registry options: using an alias to a configured registry and the address to a registry verbatim in the BUILD file.

repository

str | None
default: None

The repository name for the Docker image. e.g. "<repository>/<name>".

It uses the [docker].default_repository by default.

Repository may use placeholders in curly braces to be interpolated. The placeholders are derived from various sources, such as the Dockerfile instructions and build args.

Additional placeholders for the repository field are: name, directory, parent_directory, and default_repository.

Registries may also configure the repository value for specific registries.

See the documentation for [docker].default_repository for more information.

restartable

bool
default: False

If true, runs of this target with the run goal may be interrupted and restarted when its input files change.

secrets

Dict[str, str] | None
default: None

Secret files to expose to the build (only if BuildKit enabled).

Secrets may use absolute paths, or paths relative to your build root, or the BUILD file if prefixed with ./. Paths to your home directory will be automatically expanded. The id should be valid as used by the Docker build --secret option. See Docker secrets for more information.

Example:

docker_image(
secrets={
"mysecret": "/var/secrets/some-secret",
"repo-secret": "src/proj/secrets/some-secret",
"home-dir-secret": "~/.config/some-secret",
"target-secret": "./secrets/some-secret",
}
)

skip_hadolint

bool
default: False
backend: pants.backend.docker.lint.hadolint

If true, don't run hadolint on this target's Dockerfile.

skip_push

bool
default: False

If true, do not push this image to registries when running pants publish.

source

str | None
default: 'Dockerfile'

The Dockerfile to use when building the Docker image.

Use the instructions field instead if you prefer not having the Dockerfile in your source tree.

squash

bool
default: False

If true, then docker will squash newly built layers into a single new layer.

Note that this option is only supported on a Docker daemon with experimental features enabled.

ssh

Iterable[str] | None
default: ()

SSH agent socket or keys to expose to the build (only if BuildKit enabled) (format: default|<id>[=<socket>|<key>[,<key>]])

The exposed agent and/or keys can then be used in your Dockerfile by mounting them in your RUN instructions:

RUN --mount=type=ssh ...

See Docker documentation for more information.

tags

Iterable[str] | None
default: None

Arbitrary strings to describe a target.

For example, you may tag some test targets with 'integration_test' so that you could run pants --tag='integration_test' test :: to only run on targets with that tag.

target_stage

str | None
default: None

Specify target build stage, rather than building the entire Dockerfile.

When using multi-stage build, you may name your stages, and can target them when building to only selectively build a certain stage. See also the --docker-build-target-stage option.

Read more about multi-stage Docker builds