@@ -10624,6 +10624,7 @@ _oc_ex_dockerbuild()

     flags+=("--dockerfile=")

     flags_with_completion+=("--dockerfile")

     flags_completion+=("_filedir")

+    flags+=("--mount=")

     flags+=("--api-version=")

     flags+=("--as=")

     flags+=("--certificate-authority=")

@@ -14957,6 +14957,7 @@ _openshift_cli_ex_dockerbuild()

     flags+=("--dockerfile=")

     flags_with_completion+=("--dockerfile")

     flags_completion+=("_filedir")

+    flags+=("--mount=")

     flags+=("--api-version=")

     flags+=("--as=")

     flags+=("--certificate-authority=")

@@ -10785,6 +10785,7 @@ _oc_ex_dockerbuild()

     flags+=("--dockerfile=")

     flags_with_completion+=("--dockerfile")

     flags_completion+=("_filedir")

+    flags+=("--mount=")

     flags+=("--api-version=")

     flags+=("--as=")

     flags+=("--certificate-authority=")

@@ -15118,6 +15118,7 @@ _openshift_cli_ex_dockerbuild()

     flags+=("--dockerfile=")

     flags_with_completion+=("--dockerfile")

     flags_completion+=("_filedir")

+    flags+=("--mount=")

     flags+=("--api-version=")

     flags+=("--as=")

     flags+=("--certificate-authority=")

@@ -1348,6 +1348,9 @@ Perform a direct Docker build

 ----

   # Build the current directory into a single layer and tag

   oc ex dockerbuild . myimage:latest

+

+  # Mount a client secret into the build at a certain path

+  oc ex dockerbuild . myimage:latest --mount ~/mysecret.pem:/etc/pki/secret/mysecret.pem

 ----

 ====

@@ -17,7 +17,12 @@ Build a Dockerfile into a single layer

 .PP

 Builds the provided directory with a Dockerfile into a single layered image.

-Requires that you have a working connection to a Docker engine.

+Requires that you have a working connection to a Docker engine. You may mount

+secrets or config into the build with the \-\-mount flag \- these files will not

+be included in the final image.

+

+.PP

+Experimental: This command is under active development and may change without notice.

 .SH OPTIONS

@@ -29,6 +34,10 @@ Requires that you have a working connection to a Docker engine.

 \fB\-\-dockerfile\fP=""

     An optional path to a Dockerfile to use.

+.PP

+\fB\-\-mount\fP=[]

+    An optional list of files and directories to mount during the build. Use SRC:DST syntax for each path.

+

 .SH OPTIONS INHERITED FROM PARENT COMMANDS

 .PP

@@ -104,6 +113,9 @@ Requires that you have a working connection to a Docker engine.

   # Build the current directory into a single layer and tag

   oc ex dockerbuild . myimage:latest

+  # Mount a client secret into the build at a certain path

+  oc ex dockerbuild . myimage:latest \-\-mount \~/mysecret.pem:/etc/pki/secret/mysecret.pem

+

 .fi

 .RE

@@ -17,7 +17,12 @@ Build a Dockerfile into a single layer

 .PP

 Builds the provided directory with a Dockerfile into a single layered image.

-Requires that you have a working connection to a Docker engine.

+Requires that you have a working connection to a Docker engine. You may mount

+secrets or config into the build with the \-\-mount flag \- these files will not

+be included in the final image.

+

+.PP

+Experimental: This command is under active development and may change without notice.

 .SH OPTIONS

@@ -29,6 +34,10 @@ Requires that you have a working connection to a Docker engine.

 \fB\-\-dockerfile\fP=""

     An optional path to a Dockerfile to use.

+.PP

+\fB\-\-mount\fP=[]

+    An optional list of files and directories to mount during the build. Use SRC:DST syntax for each path.

+

 .SH OPTIONS INHERITED FROM PARENT COMMANDS

 .PP

@@ -104,6 +113,9 @@ Requires that you have a working connection to a Docker engine.

   # Build the current directory into a single layer and tag

   openshift cli ex dockerbuild . myimage:latest

+  # Mount a client secret into the build at a certain path

+  openshift cli ex dockerbuild . myimage:latest \-\-mount \~/mysecret.pem:/etc/pki/secret/mysecret.pem

+

 .fi

 .RE

@@ -25,10 +25,17 @@ const (

 Build a Dockerfile into a single layer

 Builds the provided directory with a Dockerfile into a single layered image.

-Requires that you have a working connection to a Docker engine.`

+Requires that you have a working connection to a Docker engine. You may mount

+secrets or config into the build with the --mount flag - these files will not

+be included in the final image.

+

+Experimental: This command is under active development and may change without notice.`

 	dockerbuildExample = `  # Build the current directory into a single layer and tag

-  %[1]s ex dockerbuild . myimage:latest`

+  %[1]s ex dockerbuild . myimage:latest

+

+  # Mount a client secret into the build at a certain path

+  %[1]s ex dockerbuild . myimage:latest --mount ~/mysecret.pem:/etc/pki/secret/mysecret.pem`

 )

 type DockerbuildOptions struct {

@@ -37,6 +44,9 @@ type DockerbuildOptions struct {

 	Client *docker.Client

+	MountSpecs []string

+

+	Mounts         []builder.Mount

 	Directory      string

 	Tag            string

 	DockerfilePath string

@@ -68,6 +78,7 @@ func NewCmdDockerbuild(fullName string, f *clientcmd.Factory, out, errOut io.Wri

 		},

 	}

+	cmd.Flags().StringSliceVar(&options.MountSpecs, "mount", options.MountSpecs, "An optional list of files and directories to mount during the build. Use SRC:DST syntax for each path.")

 	cmd.Flags().StringVar(&options.DockerfilePath, "dockerfile", options.DockerfilePath, "An optional path to a Dockerfile to use.")

 	cmd.Flags().BoolVar(&options.AllowPull, "allow-pull", true, "Pull the images that are not present.")

 	cmd.MarkFlagFilename("dockerfile")

@@ -89,6 +100,17 @@ func (o *DockerbuildOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command,

 	if len(o.DockerfilePath) == 0 {

 		o.DockerfilePath = filepath.Join(o.Directory, "Dockerfile")

 	}

+

+	var mounts []builder.Mount

+	for _, s := range o.MountSpecs {

+		segments := strings.Split(s, ":")

+		if len(segments) != 2 {

+			return kcmdutil.UsageError(cmd, "--mount must be of the form SOURCE:DEST")

+		}

+		mounts = append(mounts, builder.Mount{SourcePath: segments[0], DestinationPath: segments[1]})

+	}

+	o.Mounts = mounts

+

 	client, err := docker.NewClientFromEnv()

 	if err != nil {

 		return err

@@ -114,6 +136,7 @@ func (o *DockerbuildOptions) Run() error {

 	e.Out, e.ErrOut = o.Out, o.Err

 	e.AllowPull = o.AllowPull

 	e.Directory = o.Directory

+	e.TransientMounts = o.Mounts

 	e.Tag = o.Tag

 	e.AuthFn = o.Keyring.Lookup

 	e.LogFn = func(format string, args ...interface{}) {

@@ -8,7 +8,9 @@ import (

 	"io"

 	"os"

 	"path"

+	"path/filepath"

 	"runtime"

+	"strconv"

 	"strings"

 	"k8s.io/kubernetes/pkg/credentialprovider"

@@ -22,6 +24,12 @@ import (

 	"github.com/openshift/origin/pkg/util/docker/dockerfile/builder/imageprogress"

 )

+// Mount represents a binding between the current system and the destination client

+type Mount struct {

+	SourcePath      string

+	DestinationPath string

+}

+

 // ClientExecutor can run Docker builds from a Docker client.

 type ClientExecutor struct {

 	// Client is a client to a Docker daemon.

@@ -38,6 +46,11 @@ type ClientExecutor struct {

 	// AllowPull when set will pull images that are not present on

 	// the daemon.

 	AllowPull bool

+	// TransientMounts are a set of mounts from outside the build

+	// to the inside that will not be part of the final image. Any

+	// content created inside the mount's destinationPath will be

+	// omitted from the final image.

+	TransientMounts []Mount

 	Out, ErrOut io.Writer

@@ -125,6 +138,8 @@ func (e *ClientExecutor) Build(r io.Reader, args map[string]string) error {

 	e.LogFn("FROM %s", from)

 	glog.V(4).Infof("step: FROM %s", from)

+	var sharedMount string

+

 	// create a container to execute in, if necessary

 	mustStart := b.RequiresStart(node)

 	if e.Container == nil {

@@ -134,6 +149,23 @@ func (e *ClientExecutor) Build(r io.Reader, args map[string]string) error {

 			},

 		}

 		if mustStart {

+			// Transient mounts only make sense on images that will be running processes

+			if len(e.TransientMounts) > 0 {

+				volumeName, err := randSeq(imageSafeCharacters, 24)

+				if err != nil {

+					return err

+				}

+				v, err := e.Client.CreateVolume(docker.CreateVolumeOptions{Name: volumeName})

+				if err != nil {

+					return err

+				}

+				defer e.cleanupVolume(volumeName)

+				sharedMount = v.Mountpoint

+				opts.HostConfig = &docker.HostConfig{

+					Binds: []string{sharedMount + ":/tmp/__temporarymount"},

+				}

+			}

+

 			// TODO: windows support

 			if len(e.Command) > 0 {

 				opts.Config.Cmd = e.Command

@@ -157,9 +189,40 @@ func (e *ClientExecutor) Build(r io.Reader, args map[string]string) error {

 		defer e.Cleanup()

 	}

+	// copy any source content into the temporary mount path

+	if mustStart && len(e.TransientMounts) > 0 {

+		var copies []Copy

+		for i, mount := range e.TransientMounts {

+			source := mount.SourcePath

+			copies = append(copies, Copy{

+				Src:  source,

+				Dest: []string{path.Join("/tmp/__temporarymount", strconv.Itoa(i))},

+			})

+		}

+		if err := e.Copy(copies...); err != nil {

+			return err

+		}

+	}

+

 	// TODO: lazy start

 	if mustStart && !e.Container.State.Running {

-		if err := e.Client.StartContainer(e.Container.ID, e.HostConfig); err != nil {

+		var hostConfig docker.HostConfig

+		if e.HostConfig != nil {

+			hostConfig = *e.HostConfig

+		}

+

+		// mount individual items temporarily

+		for i, mount := range e.TransientMounts {

+			if len(sharedMount) == 0 {

+				return fmt.Errorf("no mount point available for temporary mounts")

+			}

+			hostConfig.Binds = append(

+				hostConfig.Binds,

+				fmt.Sprintf("%s:%s:%s", path.Join(sharedMount, strconv.Itoa(i)), mount.DestinationPath, "ro"),

+			)

+		}

+

+		if err := e.Client.StartContainer(e.Container.ID, &hostConfig); err != nil {

 			return err

 		}

 		// TODO: is this racy? may have to loop wait in the actual run step

@@ -276,6 +339,11 @@ func randSeq(source string, n int) (string, error) {

 	return string(random), nil

 }

+// cleanupVolume attempts to remove the provided volume

+func (e *ClientExecutor) cleanupVolume(name string) error {

+	return e.Client.RemoveVolume(name)

+}

+

 // CleanupImage attempts to remove the provided image.

 func (e *ClientExecutor) CleanupImage(name string) error {

 	return e.Client.RemoveImage(name)

@@ -448,7 +516,15 @@ func (e *ClientExecutor) Archive(src, dst string, allowDecompression, allowDownl

 			closer = append(closer, func() error { return os.RemoveAll(base) })

 		}

 	} else {

-		base = e.Directory

+		if filepath.IsAbs(src) {

+			base = filepath.Dir(src)

+			src, err = filepath.Rel(base, src)

+			if err != nil {

+				return nil, nil, err

+			}

+		} else {

+			base = e.Directory

+		}

 		infos, err = CalcCopyInfo(src, base, allowDecompression, true)

 	}

 	if err != nil {