While building a Docker image recently, I needed to download a file using curl. My first instinct was to install curl in the container, make the request, and move on. But then I discovered Docker has a built-in way to handle this, and it's cleaner.
The Old Way: Installing curl
Here's what I was doing initially:
FROM alpine:latest
WORKDIR /app
RUN apk add --no-cache curl
RUN curl -sS https://example.com/somefile.txt -o /app/somefile.txt
EXPOSE 8080
This works, but it adds unnecessary bloat. You're installing curl just to download a file, increasing your image size and adding an extra dependency you don't really need at runtime.
The Better Way: Using Docker's ADD Instruction
Docker's ADD instruction can fetch remote files directly without requiring curl or wget:
FROM alpine:latest
WORKDIR /app
ADD https://example.com/anotherfile.json /app/anotherfile.json
EXPOSE 8080
Much simpler. No extra packages, no additional layers, and the intent is clearer. ADD pulls the file at build time and places it exactly where you need it.
Why This Matters
Smaller Image Size
Every package you install adds megabytes to your final image. Skipping curl keeps things lean, especially important when you're optimizing for production or working with constrained environments.
Fewer Dependencies
Less tooling means fewer potential security vulnerabilities and a simpler dependency tree. Your container only contains what it actually needs.
Cleaner Dockerfiles
Using built-in instructions makes your Dockerfile more readable and idiomatic. Other developers (or future you) will immediately understand what's happening.
When to Use Each Approach
Use ADD when:
- You're downloading a single file from a URL
- The file doesn't require authentication
- You want to keep your image minimal
Stick with curl or wget when:
- You need more control over the download (headers, authentication, retries)
- You're fetching multiple files in a complex workflow
- You need to process or validate the downloaded content before using it
Have you used ADD for remote files before, or do you have other Docker tricks worth sharing? Let me know in the comments! 😊
Top comments (6)
Nice tip that ty😊
Glad to help.
I remember being excited by this too once. But with no built in way to verify the download contents against a well known SHA ie file integrity checking, this was a non starter for my company.
That's true by the way I've already mentioned
ADDis a good choice when we know what we are downloading, from which source we are downloading and exactly how we gonna use the downloaded content.That's the problem though - implicitly trusting the download source is a very Bad Idea. If that source were to be compromised, and you read about this all the time, you could be fetching and installing something nefarious with no way of knowing. The only way to guarantee that you're getting what you're expecting is by calculating the checksum of the downloaded file and comparing it to the expected SHA. Because then if they don't match, your build would simply fail, but at least you wouldn't have fallen prey and launched malware.
This doesn't matter for trivial/play apps obviously, but it's an important part of any truly mature system.
Absolutely! We should always keep security in mind.