Container

The Container type represents the state of an OCI-compatible container. This Container object is not merely a string referencing an image on a remote registry. It is the actual state of a container, managed by the Dagger Engine, and passed to a Dagger Function's code as if it were just another variable.

Default addresses

It is possible to assign a default address for a Container argument in a Dagger Function. Dagger will automatically use this default address to pull the container image when no value is specified for the argument.

tip

Default addresses are only available for Container arguments. They are commonly used to provide a sensible default base image for build or test operations. When a value is explicitly passed for the argument, it always overrides the default address.

Here's an example:

Go

The default address is set by adding a defaultAddress pragma on the corresponding Dagger Function ctr argument.

package main

import (
	"context"
	"dagger/my-module/internal/dagger"
)

type MyModule struct{}

func (m *MyModule) Version(
	ctx context.Context,
	// +defaultAddress="alpine:latest"
	ctr *dagger.Container,
) (string, error) {
	return ctr.WithExec([]string{"cat", "/etc/alpine-release"}).Stdout(ctx)
}

Python

The default address is set by adding a DefaultAddress annotation on the corresponding Dagger Function ctr argument.

from typing import Annotated

import dagger
from dagger import DefaultAddress, function, object_type


@object_type
class MyModule:
    @function
    async def version(
        self,
        ctr: Annotated[dagger.Container, DefaultAddress("alpine:latest")],
    ) -> str:
        return await ctr.with_exec(["cat", "/etc/alpine-release"]).stdout()

TypeScript

The default address is set by adding an @argument decorator with a defaultAddress parameter on the corresponding Dagger Function ctr argument.

import { Container, object, func, argument } from "@dagger.io/dagger"

@object()
class MyModule {
  @func()
  async version(
    @argument({ defaultAddress: "alpine:latest" })
    ctr: Container,
  ): Promise<string> {
    return ctr.withExec(["cat", "/etc/alpine-release"]).stdout()
  }
}

PHP

The default address is set by adding a #[DefaultAddress] Attribute on the corresponding Dagger Function ctr argument.

<?php

declare(strict_types=1);

namespace DaggerModule;

use Dagger\Attribute\DaggerFunction;
use Dagger\Attribute\DaggerObject;
use Dagger\Attribute\DefaultAddress;
use Dagger\Container;

#[DaggerObject]
class MyModule
{
    #[DaggerFunction]
    public function version(
        #[DefaultAddress('alpine:latest')]
        Container $ctr,
    ): string {
        return $ctr->withExec(['cat', '/etc/alpine-release'])->stdout();
    }
}

The default address can be any valid container image reference, such as:

• alpine:latest - Docker Hub image with tag
• alpine:3.19 - Docker Hub image with specific version
• ghcr.io/owner/image:tag - GitHub Container Registry image
• gcr.io/project/image:tag - Google Container Registry image

Volatile variables

withVolatileVariable sets a non-secret environment variable for future withExec calls without invalidating exec cache when only the variable's value changes.

Typical examples include CI and reporting metadata such as commit SHAs, branch or ref names, and CI run IDs.

warning

withVolatileVariable is an expert-only escape hatch. Use it only when you are certain that changing the variable alone must not invalidate cached withExec results. If that assumption is wrong, Dagger may reuse stale or incorrect cached results.

Unlike withEnvVariable, volatile variables:

• are visible only to future withExec calls
• are not persisted into the container image config
• are not returned by envVariable or envVariables
• are not available to expand: true

Use withEnvVariable for normal container configuration, withSecretVariable for sensitive values, and withVolatileVariable only for exec-time metadata that should not decide cache reuse.

API reference

An OCI-compatible container, also known as a Docker container.

Implements Exportable, Node, Syncer

combinedOutput

The combined buffered standard output and standard error stream of the last executed command

defaultArgs

Return the container's default arguments.

entrypoint

Return the container's OCI entrypoint.

envVariable

Retrieves the value of the specified persistent environment variable.

exists

check if a file or directory exists

exitCode

The exit code of the last executed command

export

Writes the container as an OCI tarball to the destination file path on the host.

exportImage

Exports the container as an image to the host's container image store.

id

A unique identifier for this Container.

imageRef

The unique image reference which can only be retrieved immediately after the 'Container.From' call.

label

Retrieves the value of the specified label.

mounts

Retrieves the list of paths where a directory is mounted.

platform

The platform this container executes and publishes as.

publish

Package the container state as an OCI image, and publish it to a registry

stderr

The buffered standard error stream of the last executed command

stdout

The buffered standard output stream of the last executed command

up

Starts a Service and creates a tunnel that forwards traffic from the caller's network to that service.

user

Retrieves the user to be set for all commands.

workdir

Retrieves the working directory for all commands.

asService

Turn the container into a Service.

asTarball

Package the container state as an OCI image, and return it as a tar archive

directory

Retrieve a directory from the container's root filesystem

dockerHealthcheck

Retrieves this container's configured docker healthcheck.

envVariables

Retrieves the list of persistent environment variables configured on the container.

experimentalWithAllGPUs

EXPERIMENTAL API! Subject to change/removal at any time.

experimentalWithGPU

EXPERIMENTAL API! Subject to change/removal at any time.

exposedPorts

Retrieves the list of exposed ports.

file

Retrieves a file at the given path.

from

Download a container image, and apply it to the container state. All previous state will be lost.

import

Reads the container from an OCI tarball.

labels

Retrieves the list of labels passed to container.

rootfs

Return a snapshot of the container's root filesystem. The snapshot can be modified then written back using withRootfs. Use that method for filesystem modifications.

stat

Return file status

sync

Forces evaluation of the pipeline in the engine.

terminal

Opens an interactive terminal for this container using its configured default terminal command if not overridden by args (or sh as a fallback default).

withAnnotation

Retrieves this container plus the given OCI annotation.

withDefaultArgs

Configures default arguments for future commands. Like CMD in Dockerfile.

withDefaultTerminalCmd

Set the default command to invoke for the container's terminal API.

withDirectory

Return a new container snapshot, with a directory added to its filesystem

withDockerHealthcheck

Retrieves this container with the specificed docker healtcheck command set.

withEntrypoint

Set an OCI-style entrypoint. It will be included in the container's OCI configuration. Note, withExec ignores the entrypoint by default.

withEnvFileVariables

Export environment variables from an env-file to the container.

withEnvVariable

Set a new environment variable in the container.

withError

Raise an error.

withExec

Execute a command in the container, and return a new snapshot of the container state after execution.

withExposedPort

Expose a network port. Like EXPOSE in Dockerfile (but with healthcheck support)

withFile

Return a container snapshot with a file added

withFiles

Retrieves this container plus the contents of the given files copied to the given path.

withLabel

Retrieves this container plus the given label.

withMountedCache

Retrieves this container plus a cache volume mounted at the given path.

withMountedDirectory

Retrieves this container plus a directory mounted at the given path.

withMountedFile

Retrieves this container plus a file mounted at the given path.

withMountedSecret

Retrieves this container plus a secret mounted into a file at the given path.

withMountedTemp

Retrieves this container plus a temporary directory mounted at the given path. Any writes will be ephemeral to a single withExec call; they will not be persisted to subsequent withExecs.

withNewFile

Return a new container snapshot, with a file added to its filesystem with text content

withoutAnnotation

Retrieves this container minus the given OCI annotation.

withoutDefaultArgs

Remove the container's default arguments.

withoutDirectory

Return a new container snapshot, with a directory removed from its filesystem

withoutDockerHealthcheck

Retrieves this container without a configured docker healtcheck command.

withoutEntrypoint

Reset the container's OCI entrypoint.

withoutEnvVariable

Retrieves this container minus the given environment variable.

withoutExposedPort

Unexpose a previously exposed port.

withoutFile

Retrieves this container with the file at the given path removed.

withoutFiles

Return a new container spanshot with specified files removed

withoutLabel

Retrieves this container minus the given environment label.

withoutMount

Retrieves this container after unmounting everything at the given path.

withoutRegistryAuth

Retrieves this container without the registry authentication of a given address.

withoutSecretVariable

Retrieves this container minus the given environment variable containing the secret.

withoutUnixSocket

Retrieves this container with a previously added Unix socket removed.

withoutUser

Retrieves this container with an unset command user.

withoutVolatileVariable

Retrieves this container minus the given volatile environment variable.

withoutWorkdir

Unset the container's working directory.

withRegistryAuth

Attach credentials for future publishing to a registry. Use in combination with publish

withRootfs

Change the container's root filesystem. The previous root filesystem will be lost.

withSecretVariable

Set a new environment variable, using a secret value

withServiceBinding

Establish a runtime dependency from a container to a network service.

withSymlink

Return a snapshot with a symlink

withUnixSocket

Retrieves this container plus a socket forwarded to the given Unix socket path.

withUser

Retrieves this container with a different command user.

withVolatileVariable

Set a new non-secret environment variable for future execs without invalidating exec cache when only its value changes.

withWorkdir

Change the container's working directory. Like WORKDIR in Dockerfile.

combinedOutput: String!

The combined buffered standard output and standard error stream of the last executed command

Returns an error if no command was executed

defaultArgs: [String!]!

Return the container's default arguments.

entrypoint: [String!]!

Return the container's OCI entrypoint.

envVariable(name: String!): String

Retrieves the value of the specified persistent environment variable.

name: String!

The name of the environment variable to retrieve (e.g., "PATH").

exists(path: String!,expectedType: ExistsType,doNotFollowSymlinks: Boolean = false,expand: Boolean = false): Boolean!

check if a file or directory exists

path: String!

Path to check (e.g., "/file.txt").

expectedType: ExistsType

If specified, also validate the type of file (e.g. "REGULAR_TYPE", "DIRECTORY_TYPE", or "SYMLINK_TYPE").

doNotFollowSymlinks: Boolean = false

If specified, do not follow symlinks.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

exitCode: Int!

The exit code of the last executed command

Returns an error if no command was executed

export(path: String!,platformVariants: [Container!] = [],forcedCompression: ImageLayerCompression,mediaTypes: ImageMediaTypes = OCIMediaTypes,expand: Boolean = false): String!

Writes the container as an OCI tarball to the destination file path on the host.

It can also export platform variants.

path: String!

Host's destination path (e.g., "./tarball").

Path can be relative to the engine's workdir or absolute.

platformVariants: [Container!] = []

Identifiers for other platform specific containers.

Used for multi-platform image.

forcedCompression: ImageLayerCompression

Force each layer of the exported image to use the specified compression algorithm.

If this is unset, then if a layer already has a compressed blob in the engine's cache, that will be used (this can result in a mix of compression algorithms for different layers). If this is unset and a layer has no compressed blob in the engine's cache, then it will be compressed using Gzip.

mediaTypes: ImageMediaTypes = OCIMediaTypes

Use the specified media types for the exported image's layers.

Defaults to OCI, which is largely compatible with most recent container runtimes, but Docker may be needed for older runtimes without OCI support.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

exportImage(name: String!,platformVariants: [Container!] = [],forcedCompression: ImageLayerCompression,mediaTypes: ImageMediaTypes = OCIMediaTypes): Void!

Exports the container as an image to the host's container image store.

name: String!

Name of image to export to in the host's store

platformVariants: [Container!] = []

Identifiers for other platform specific containers.

Used for multi-platform image.

forcedCompression: ImageLayerCompression

Force each layer of the exported image to use the specified compression algorithm.

If this is unset, then if a layer already has a compressed blob in the engine's cache, that will be used (this can result in a mix of compression algorithms for different layers). If this is unset and a layer has no compressed blob in the engine's cache, then it will be compressed using Gzip.

mediaTypes: ImageMediaTypes = OCIMediaTypes

Use the specified media types for the exported image's layers.

Defaults to OCI, which is largely compatible with most recent container runtimes, but Docker may be needed for older runtimes without OCI support.

id: ID!

A unique identifier for this Container.

imageRef: String!

The unique image reference which can only be retrieved immediately after the 'Container.From' call.

label(name: String!): String

Retrieves the value of the specified label.

name: String!

The name of the label (e.g., "org.opencontainers.artifact.created").

mounts: [String!]!

Retrieves the list of paths where a directory is mounted.

platform: Platform!

The platform this container executes and publishes as.

publish(address: String!,platformVariants: [Container!] = [],forcedCompression: ImageLayerCompression,mediaTypes: ImageMediaTypes = OCIMediaTypes,registryService: Service,protocol: RegistryProtocol,insecureSkipTLSVerify: Boolean = false): String!

Package the container state as an OCI image, and publish it to a registry

Returns the fully qualified address of the published image, with digest

address: String!

The OCI address to publish to

Same format as "docker push". Example: "registry.example.com/user/repo:tag"

platformVariants: [Container!] = []

Identifiers for other platform specific containers.

Used for multi-platform image.

forcedCompression: ImageLayerCompression

Force each layer of the published image to use the specified compression algorithm.

If this is unset, then if a layer already has a compressed blob in the engine's cache, that will be used (this can result in a mix of compression algorithms for different layers). If this is unset and a layer has no compressed blob in the engine's cache, then it will be compressed using Gzip.

mediaTypes: ImageMediaTypes = OCIMediaTypes

Use the specified media types for the published image's layers.

Defaults to "OCI", which is compatible with most recent registries, but "Docker" may be needed for older registries without OCI support.

registryService: Service

Service to use as the registry endpoint for the image address.

The service will be started only for this push.

protocol: RegistryProtocol

Protocol to use for registry communication.

Defaults to "HTTPS". Use "HTTP" only for plain HTTP registries.

insecureSkipTLSVerify: Boolean = false

Allow HTTPS registry communication without verifying the server certificate.

stderr: String!

The buffered standard error stream of the last executed command

Returns an error if no command was executed

stdout: String!

The buffered standard output stream of the last executed command

Returns an error if no command was executed

up(random: Boolean = false,ports: [PortForward!] = [],args: [String!] = [],useEntrypoint: Boolean = false,experimentalPrivilegedNesting: Boolean = false,insecureRootCapabilities: Boolean = false,expand: Boolean = false,noInit: Boolean = false): Void

Starts a Service and creates a tunnel that forwards traffic from the caller's network to that service.

Be sure to set any exposed ports before calling this api.

random: Boolean = false

Bind each tunnel port to a random port on the host.

ports: [PortForward!] = []

List of frontend/backend port mappings to forward.

Frontend is the port accepting traffic on the host, backend is the service port.

args: [String!] = []

Command to run instead of the container's default command (e.g., ["go", "run", "main.go"]).

If empty, the container's default command is used.

useEntrypoint: Boolean = false

If the container has an entrypoint, prepend it to the args.

experimentalPrivilegedNesting: Boolean = false

Provides Dagger access to the executed command.

insecureRootCapabilities: Boolean = false

Execute the command with all root capabilities. This is similar to running a command with "sudo" or executing "docker run" with the "--privileged" flag. Containerization does not provide any security guarantees when using this option. It should only be used when absolutely necessary and only with trusted commands.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the args according to the current environment variables defined in the container (e.g. "/$VAR/foo").

noInit: Boolean = false

If set, skip the automatic init process injected into containers by default.

This should only be used if the user requires that their exec process be the pid 1 process in the container. Otherwise it may result in unexpected behavior.

user: String!

Retrieves the user to be set for all commands.

workdir: String!

Retrieves the working directory for all commands.

asService(args: [String!] = [],useEntrypoint: Boolean = false,experimentalPrivilegedNesting: Boolean = false,insecureRootCapabilities: Boolean = false,expand: Boolean = false,noInit: Boolean = false): Service!

Turn the container into a Service.

Be sure to set any exposed ports before this conversion.

args: [String!] = []

Command to run instead of the container's default command (e.g., ["go", "run", "main.go"]).

If empty, the container's default command is used.

useEntrypoint: Boolean = false

If the container has an entrypoint, prepend it to the args.

experimentalPrivilegedNesting: Boolean = false

Provides Dagger access to the executed command.

insecureRootCapabilities: Boolean = false

Execute the command with all root capabilities. This is similar to running a command with "sudo" or executing "docker run" with the "--privileged" flag. Containerization does not provide any security guarantees when using this option. It should only be used when absolutely necessary and only with trusted commands.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the args according to the current environment variables defined in the container (e.g. "/$VAR/foo").

noInit: Boolean = false

If set, skip the automatic init process injected into containers by default.

This should only be used if the user requires that their exec process be the pid 1 process in the container. Otherwise it may result in unexpected behavior.

asTarball(platformVariants: [Container!] = [],forcedCompression: ImageLayerCompression,mediaTypes: ImageMediaTypes = OCIMediaTypes): File!

Package the container state as an OCI image, and return it as a tar archive

platformVariants: [Container!] = []

Identifiers for other platform specific containers.

Used for multi-platform images.

forcedCompression: ImageLayerCompression

Force each layer of the image to use the specified compression algorithm.

If this is unset, then if a layer already has a compressed blob in the engine's cache, that will be used (this can result in a mix of compression algorithms for different layers). If this is unset and a layer has no compressed blob in the engine's cache, then it will be compressed using Gzip.

mediaTypes: ImageMediaTypes = OCIMediaTypes

Use the specified media types for the image's layers.

Defaults to OCI, which is largely compatible with most recent container runtimes, but Docker may be needed for older runtimes without OCI support.

directory(path: String!, expand: Boolean = false): Directory!

Retrieve a directory from the container's root filesystem

Mounts are included.

path: String!

The path of the directory to retrieve (e.g., "./src").

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

dockerHealthcheck: HealthcheckConfig

Retrieves this container's configured docker healthcheck.

envVariables: [EnvVariable!]!

Retrieves the list of persistent environment variables configured on the container.

experimentalWithAllGPUs: Container!

EXPERIMENTAL API! Subject to change/removal at any time.

Configures all available GPUs on the host to be accessible to this container.

This currently works for Nvidia devices only.

experimentalWithGPU(devices: [String!]!): Container!

EXPERIMENTAL API! Subject to change/removal at any time.

Configures the provided list of devices to be accessible to this container.

This currently works for Nvidia devices only.

devices: [String!]!

List of devices to be accessible to this container.

exposedPorts: [Port!]!

Retrieves the list of exposed ports.

This includes ports already exposed by the image, even if not explicitly added with dagger.

file(path: String!, expand: Boolean = false): File!

Retrieves a file at the given path.

Mounts are included.

path: String!

The path of the file to retrieve (e.g., "./README.md").

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo.txt").

from(address: String!,registryService: Service,protocol: RegistryProtocol,insecureSkipTLSVerify: Boolean = false): Container!

Download a container image, and apply it to the container state. All previous state will be lost.

address: String!

Address of the container image to download, in standard OCI ref format. Example:"registry.dagger.io/engine:latest"

registryService: Service

Service to use as the registry endpoint for the image address.

The service will be started only for this pull.

protocol: RegistryProtocol

Protocol to use for registry communication.

Defaults to "HTTPS". Use "HTTP" only for plain HTTP registries.

insecureSkipTLSVerify: Boolean = false

Allow HTTPS registry communication without verifying the server certificate.

import(source: File!, tag: String = ""): Container!

Reads the container from an OCI tarball.

source: File!

File to read the container from.

tag: String = ""

Identifies the tag to import from the archive, if the archive bundles multiple tags.

labels: [Label!]!

Retrieves the list of labels passed to container.

rootfs: Directory!

Return a snapshot of the container's root filesystem. The snapshot can be modified then written back using withRootfs. Use that method for filesystem modifications.

stat(path: String!, doNotFollowSymlinks: Boolean = false): Stat

Return file status

path: String!

Path to check (e.g., "/file.txt").

doNotFollowSymlinks: Boolean = false

If specified, do not follow symlinks.

sync: Container!

Forces evaluation of the pipeline in the engine.

It doesn't run the default command if no exec has been set.

terminal(cmd: [String!] = [],experimentalPrivilegedNesting: Boolean = false,insecureRootCapabilities: Boolean = false): Container!

Opens an interactive terminal for this container using its configured default terminal command if not overridden by args (or sh as a fallback default).

cmd: [String!] = []

If set, override the container's default terminal command and invoke these command arguments instead.

experimentalPrivilegedNesting: Boolean = false

Provides Dagger access to the executed command.

insecureRootCapabilities: Boolean = false

Execute the command with all root capabilities. This is similar to running a command with "sudo" or executing "docker run" with the "--privileged" flag. Containerization does not provide any security guarantees when using this option. It should only be used when absolutely necessary and only with trusted commands.

withAnnotation(name: String!, value: String!): Container!

Retrieves this container plus the given OCI annotation.

name: String!

The name of the annotation.

value: String!

The value of the annotation.

withDefaultArgs(args: [String!]!): Container!

Configures default arguments for future commands. Like CMD in Dockerfile.

args: [String!]!

Arguments to prepend to future executions (e.g., ["-v", "--no-cache"]).

withDefaultTerminalCmd(args: [String!]!,experimentalPrivilegedNesting: Boolean = false,insecureRootCapabilities: Boolean = false): Container!

Set the default command to invoke for the container's terminal API.

args: [String!]!

The args of the command.

experimentalPrivilegedNesting: Boolean = false

Provides Dagger access to the executed command.

insecureRootCapabilities: Boolean = false

Execute the command with all root capabilities. This is similar to running a command with "sudo" or executing "docker run" with the "--privileged" flag. Containerization does not provide any security guarantees when using this option. It should only be used when absolutely necessary and only with trusted commands.

withDirectory(path: String!,source: Directory!,exclude: [String!] = [],include: [String!] = [],gitignore: Boolean = false,owner: String = "",inheritOwner: Boolean = false,expand: Boolean = false,permissions: Int): Container!

Return a new container snapshot, with a directory added to its filesystem

path: String!

Location of the written directory (e.g., "/tmp/directory").

source: Directory!

Identifier of the directory to write

exclude: [String!] = []

Patterns to exclude in the written directory (e.g. ["node_modules/**", ".gitignore", ".git/"]).

include: [String!] = []

Patterns to include in the written directory (e.g. ["*.go", "go.mod", "go.sum"]).

gitignore: Boolean = false

Apply .gitignore rules when writing the directory.

owner: String = ""

A user:group to set for the directory and its contents.

The user and group can either be an ID (1000:1000) or a name (foo:bar).

If the group is omitted, it defaults to the same as the user.

inheritOwner: Boolean = false

Set the owner to the container's current user.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

permissions: Int

withDockerHealthcheck(args: [String!]!,shell: Boolean,interval: String,timeout: String,startPeriod: String,startInterval: String,retries: Int): Container!

Retrieves this container with the specificed docker healtcheck command set.

args: [String!]!

Healthcheck command to execute. Example: ["go", "run", "main.go"].

shell: Boolean

When true, command must be a single element, which is run using the container's shell

interval: String

Interval between running healthcheck. Example: "30s"

timeout: String

Healthcheck timeout. Example: "3s"

startPeriod: String

StartPeriod allows for failures during this initial startup period which do not count towards maximum number of retries. Example: "0s"

startInterval: String

StartInterval configures the duration between checks during the startup phase. Example: "5s"

retries: Int

The maximum number of consecutive failures before the container is marked as unhealthy. Example: "3"

withEntrypoint(args: [String!]!, keepDefaultArgs: Boolean = false): Container!

Set an OCI-style entrypoint. It will be included in the container's OCI configuration. Note, withExec ignores the entrypoint by default.

args: [String!]!

Arguments of the entrypoint. Example: ["go", "run"].

keepDefaultArgs: Boolean = false

Don't reset the default arguments when setting the entrypoint. By default it is reset, since entrypoint and default args are often tightly coupled.

withEnvFileVariables(source: EnvFile!): Container!

Export environment variables from an env-file to the container.

source: EnvFile!

Identifier of the envfile

withEnvVariable(name: String!,value: String!,expand: Boolean = false): Container!

Set a new environment variable in the container.

name: String!

Name of the environment variable (e.g., "HOST").

value: String!

Value of the environment variable. (e.g., "localhost").

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value according to the current environment variables defined in the container (e.g. "/opt/bin:$PATH").

withError(err: String!): Container!

Raise an error.

err: String!

Message of the error to raise. If empty, the error will be ignored.

withExec(args: [String!]!,useEntrypoint: Boolean = false,stdin: String = "",redirectStdin: String = "",redirectStdout: String = "",redirectStderr: String = "",expect: ReturnType = SUCCESS,experimentalPrivilegedNesting: Boolean = false,insecureRootCapabilities: Boolean = false,expand: Boolean = false,noInit: Boolean = false): Container!

Execute a command in the container, and return a new snapshot of the container state after execution.

args: [String!]!

Command to execute. Must be valid exec() arguments, not a shell command. Example: ["go", "run", "main.go"].

To run a shell command, execute the shell and pass the shell command as argument. Example: ["sh", "-c", "ls -l | grep foo"]

Defaults to the container's default arguments (see "defaultArgs" and "withDefaultArgs").

useEntrypoint: Boolean = false

Apply the OCI entrypoint, if present, by prepending it to the args. Ignored by default.

stdin: String = ""

Content to write to the command's standard input. Example: "Hello world")

redirectStdin: String = ""

Redirect the command's standard input from a file in the container. Example: "./stdin.txt"

redirectStdout: String = ""

Redirect the command's standard output to a file in the container. Example: "./stdout.txt"

redirectStderr: String = ""

Redirect the command's standard error to a file in the container. Example: "./stderr.txt"

expect: ReturnType = SUCCESS

Exit codes this command is allowed to exit with without error

experimentalPrivilegedNesting: Boolean = false

Provides Dagger access to the executed command.

insecureRootCapabilities: Boolean = false

Execute the command with all root capabilities. Like --privileged in Docker

DANGER: this grants the command full access to the host system. Only use when 1) you trust the command being executed and 2) you specifically need this level of access.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the args according to the current environment variables defined in the container (e.g. "/$VAR/foo").

noInit: Boolean = false

Skip the automatic init process injected into containers by default.

Only use this if you specifically need the command to be pid 1 in the container. Otherwise it may result in unexpected behavior. If you're not sure, you don't need this.

withExposedPort(port: Int!,protocol: NetworkProtocol = TCP,description: String,experimentalSkipHealthcheck: Boolean = false): Container!

Expose a network port. Like EXPOSE in Dockerfile (but with healthcheck support)

Exposed ports serve two purposes:

- For health checks and introspection, when running services

- For setting the EXPOSE OCI field when publishing the container

port: Int!

Port number to expose. Example: 8080

protocol: NetworkProtocol = TCP

Network protocol. Example: "tcp"

description: String

Port description. Example: "payment API endpoint"

experimentalSkipHealthcheck: Boolean = false

Skip the health check when run as a service.

withFile(path: String!,source: File!,permissions: Int,owner: String = "",inheritOwner: Boolean = false,expand: Boolean = false): Container!

Return a container snapshot with a file added

path: String!

Path of the new file. Example: "/path/to/new-file.txt"

source: File!

File to add

permissions: Int

Permissions of the new file. Example: 0600

owner: String = ""

A user:group to set for the file.

The user and group can either be an ID (1000:1000) or a name (foo:bar).

If the group is omitted, it defaults to the same as the user.

inheritOwner: Boolean = false

Set the owner to the container's current user.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo.txt").

withFiles(path: String!,sources: [File!]!,permissions: Int,owner: String = "",inheritOwner: Boolean = false,expand: Boolean = false): Container!

Retrieves this container plus the contents of the given files copied to the given path.

path: String!

Location where copied files should be placed (e.g., "/src").

sources: [File!]!

Identifiers of the files to copy.

permissions: Int

Permission given to the copied files (e.g., 0600).

owner: String = ""

A user:group to set for the files.

The user and group can either be an ID (1000:1000) or a name (foo:bar).

If the group is omitted, it defaults to the same as the user.

inheritOwner: Boolean = false

Set the owner to the container's current user.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo.txt").

withLabel(name: String!, value: String!): Container!

Retrieves this container plus the given label.

name: String!

The name of the label (e.g., "org.opencontainers.artifact.created").

value: String!

The value of the label (e.g., "2023-01-01T00:00:00Z").

withMountedCache(path: String!,cache: CacheVolume!,source: Directory,sharing: CacheSharingMode = SHARED,owner: String = "",inheritOwner: Boolean = false,expand: Boolean = false): Container!

Retrieves this container plus a cache volume mounted at the given path.

path: String!

Location of the cache directory (e.g., "/root/.npm").

cache: CacheVolume!

Identifier of the cache volume to mount.

source: Directory

Identifier of the directory to use as the cache volume's root.

sharing: CacheSharingMode = SHARED

Sharing mode of the cache volume.

owner: String = ""

A user:group to set for the mounted cache directory.

Note that this changes the ownership of the specified mount along with the initial filesystem provided by source (if any). It does not have any effect if/when the cache has already been created.

The user and group can either be an ID (1000:1000) or a name (foo:bar).

If the group is omitted, it defaults to the same as the user.

inheritOwner: Boolean = false

Set the owner to the container's current user.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

withMountedDirectory(path: String!,source: Directory!,owner: String = "",inheritOwner: Boolean = false,readOnly: Boolean = false,expand: Boolean = false): Container!

Retrieves this container plus a directory mounted at the given path.

path: String!

Location of the mounted directory (e.g., "/mnt/directory").

source: Directory!

Identifier of the mounted directory.

owner: String = ""

A user:group to set for the mounted directory and its contents.

The user and group can either be an ID (1000:1000) or a name (foo:bar).

If the group is omitted, it defaults to the same as the user.

inheritOwner: Boolean = false

Set the owner to the container's current user.

readOnly: Boolean = false

Mount the directory read-only.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

withMountedFile(path: String!,source: File!,owner: String = "",inheritOwner: Boolean = false,expand: Boolean = false): Container!

Retrieves this container plus a file mounted at the given path.

path: String!

Location of the mounted file (e.g., "/tmp/file.txt").

source: File!

Identifier of the mounted file.

owner: String = ""

A user or user:group to set for the mounted file.

The user and group can either be an ID (1000:1000) or a name (foo:bar).

If the group is omitted, it defaults to the same as the user.

inheritOwner: Boolean = false

Set the owner to the container's current user.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo.txt").

withMountedSecret(path: String!,source: Secret!,owner: String = "",inheritOwner: Boolean = false,mode: Int = 256,expand: Boolean = false): Container!

Retrieves this container plus a secret mounted into a file at the given path.

path: String!

Location of the secret file (e.g., "/tmp/secret.txt").

source: Secret!

Identifier of the secret to mount.

owner: String = ""

A user:group to set for the mounted secret.

The user and group can either be an ID (1000:1000) or a name (foo:bar).

If the group is omitted, it defaults to the same as the user.

inheritOwner: Boolean = false

Set the owner to the container's current user.

mode: Int = 256

Permission given to the mounted secret (e.g., 0600).

This option requires an owner to be set to be active.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

withMountedTemp(path: String!,size: Int,expand: Boolean = false): Container!

Retrieves this container plus a temporary directory mounted at the given path. Any writes will be ephemeral to a single withExec call; they will not be persisted to subsequent withExecs.

path: String!

Location of the temporary directory (e.g., "/tmp/temp_dir").

size: Int

Size of the temporary directory in bytes.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

withNewFile(path: String!,contents: String!,permissions: Int = 420,owner: String = "",inheritOwner: Boolean = false,expand: Boolean = false): Container!

Return a new container snapshot, with a file added to its filesystem with text content

path: String!

Path of the new file. May be relative or absolute. Example: "README.md" or "/etc/profile"

contents: String!

Contents of the new file. Example: "Hello world!"

permissions: Int = 420

Permissions of the new file. Example: 0600

owner: String = ""

A user:group to set for the file.

The user and group can either be an ID (1000:1000) or a name (foo:bar).

If the group is omitted, it defaults to the same as the user.

inheritOwner: Boolean = false

Set the owner to the container's current user.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo.txt").

withoutAnnotation(name: String!): Container!

Retrieves this container minus the given OCI annotation.

name: String!

The name of the annotation.

withoutDefaultArgs: Container!

Remove the container's default arguments.

withoutDirectory(path: String!, expand: Boolean = false): Container!

Return a new container snapshot, with a directory removed from its filesystem

path: String!

Location of the directory to remove (e.g., ".github/").

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

withoutDockerHealthcheck: Container!

Retrieves this container without a configured docker healtcheck command.

withoutEntrypoint(keepDefaultArgs: Boolean = false): Container!

Reset the container's OCI entrypoint.

keepDefaultArgs: Boolean = false

Don't remove the default arguments when unsetting the entrypoint.

withoutEnvVariable(name: String!): Container!

Retrieves this container minus the given environment variable.

name: String!

The name of the environment variable (e.g., "HOST").

withoutExposedPort(port: Int!, protocol: NetworkProtocol = TCP): Container!

Unexpose a previously exposed port.

port: Int!

Port number to unexpose

protocol: NetworkProtocol = TCP

Port protocol to unexpose

withoutFile(path: String!, expand: Boolean = false): Container!

Retrieves this container with the file at the given path removed.

path: String!

Location of the file to remove (e.g., "/file.txt").

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo.txt").

withoutFiles(paths: [String!]!, expand: Boolean = false): Container!

Return a new container spanshot with specified files removed

paths: [String!]!

Paths of the files to remove. Example: ["foo.txt, "/root/.ssh/config"

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of paths according to the current environment variables defined in the container (e.g. "/$VAR/foo.txt").

withoutLabel(name: String!): Container!

Retrieves this container minus the given environment label.

name: String!

The name of the label to remove (e.g., "org.opencontainers.artifact.created").

withoutMount(path: String!, expand: Boolean = false): Container!

Retrieves this container after unmounting everything at the given path.

path: String!

Location of the cache directory (e.g., "/root/.npm").

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

withoutRegistryAuth(address: String!): Container!

Retrieves this container without the registry authentication of a given address.

address: String!

Registry's address to remove the authentication from.

Formatted as [host]/[user]/[repo]:[tag] (e.g. docker.io/dagger/dagger:main).

withoutSecretVariable(name: String!): Container!

Retrieves this container minus the given environment variable containing the secret.

name: String!

The name of the environment variable (e.g., "HOST").

withoutUnixSocket(path: String!, expand: Boolean = false): Container!

Retrieves this container with a previously added Unix socket removed.

path: String!

Location of the socket to remove (e.g., "/tmp/socket").

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

withoutUser: Container!

Retrieves this container with an unset command user.

Should default to root.

withoutVolatileVariable(name: String!): Container!

Retrieves this container minus the given volatile environment variable.

name: String!

The name of the volatile environment variable (e.g., "CI_RUN_ID").

withoutWorkdir: Container!

Unset the container's working directory.

Should default to "/".

withRegistryAuth(address: String!,username: String!,secret: Secret!): Container!

Attach credentials for future publishing to a registry. Use in combination with publish

address: String!

The image address that needs authentication. Same format as "docker push". Example: "registry.dagger.io/dagger:latest"

username: String!

The username to authenticate with. Example: "alice"

secret: Secret!

The API key, password or token to authenticate to this registry

withRootfs(directory: Directory!): Container!

Change the container's root filesystem. The previous root filesystem will be lost.

directory: Directory!

The new root filesystem.

withSecretVariable(name: String!, secret: Secret!): Container!

Set a new environment variable, using a secret value

name: String!

Name of the secret variable (e.g., "API_SECRET").

secret: Secret!

Identifier of the secret value.

withServiceBinding(alias: String!, service: Service!): Container!

Establish a runtime dependency from a container to a network service.

The service will be started automatically when needed and detached when it is no longer needed, executing the default command if none is set.

The service will be reachable from the container via the provided hostname alias.

The service dependency will also convey to any files or directories produced by the container.

alias: String!

Hostname that will resolve to the target service (only accessible from within this container)

service: Service!

The target service

withSymlink(target: String!,linkName: String!,expand: Boolean = false): Container!

Return a snapshot with a symlink

target: String!

Location of the file or directory to link to (e.g., "/existing/file").

linkName: String!

Location where the symbolic link will be created (e.g., "/new-file-link").

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo.txt").

withUnixSocket(path: String!,source: Socket!,owner: String = "",inheritOwner: Boolean = false,expand: Boolean = false): Container!

Retrieves this container plus a socket forwarded to the given Unix socket path.

path: String!

Location of the forwarded Unix socket (e.g., "/tmp/socket").

source: Socket!

Identifier of the socket to forward.

owner: String = ""

A user:group to set for the mounted socket.

The user and group can either be an ID (1000:1000) or a name (foo:bar).

If the group is omitted, it defaults to the same as the user.

inheritOwner: Boolean = false

Set the owner to the container's current user.

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

withUser(name: String!): Container!

Retrieves this container with a different command user.

name: String!

The user to set (e.g., "root").

withVolatileVariable(name: String!, value: String!): Container!

Set a new non-secret environment variable for future execs without invalidating exec cache when only its value changes.

This is an expert-only escape hatch. If a volatile value affects observable exec results, stale cached results may be reused.

name: String!

Name of the volatile variable (e.g., "CI_RUN_ID").

value: String!

Value of the volatile variable.

withWorkdir(path: String!, expand: Boolean = false): Container!

Change the container's working directory. Like WORKDIR in Dockerfile.

path: String!

The path to set as the working directory (e.g., "/app").

expand: Boolean = false

Replace "${VAR}" or "$VAR" in the value of path according to the current environment variables defined in the container (e.g. "/$VAR/foo").

References

Returned by

Address.containerBinding.asContainerDirectory.dockerBuildHost.containerImageModule.runtimeQuery.container

Accepted as an argument by

Container.asTarball (platformVariants)Container.export (platformVariants)Container.exportImage (platformVariants)Container.publish (platformVariants)Directory.terminal (container)Env.withContainerInput (value)