Container Implementation

Docker

A .dockerignore is mandatory to prevent importing .env files (secret leakage).

1. 🛡️ Secure Build Context

   # .dockerignore
   .env
   .git/
   .venv/
   __pycache__/
   
   

2. ⚙️ Build

   Execute from the repository root, passing the manifest path:

   docker build -t my-img -f containers/pipeline.Dockerfile .
   

3. 🚀 Execute

   Execute from the repository root, injecting the .env file dynamically:

   docker run --rm --env-file .env my-img
   

Apptainer

Explicit Copying over Ignore Files Apptainer lacks a native .dockerignore equivalent. To prevent .env files from entering the image, directories must be copied explicitly.

1. 🛡️ Secure Build Context

   %files
       # Explicitly avoid local .env files
       pyproject.toml /app/
       src /app/src
       config /app/config
       scripts /app/scripts
   

2. ⚙️ Build

   Execute from the repository root, passing the manifest path:

   apptainer build img.sif containers/pipeline.def
   

3. 🚀 Execute
   Apptainer supports the --env-file flag (v1.1.0+) for symmetric runtime injection:

   apptainer run --env-file .env img.sif