Skip to main content

Prerequisites

Before you begin, ensure you have:
  • A Root account with an active subscription (app.root.io)
  • A Root API token (generated from the Root dashboard)
  • Docker with BuildKit support (Docker 23.0+ or DOCKER_BUILDKIT=1)
  • A Dockerfile that installs OS packages via apt-get or apk

Step 1: Generate an API Token

  1. Log in to app.root.io.
  2. Navigate to Settings → API Tokens.
  3. Click Generate Token.
  4. Copy the token value. You will need it to authenticate with pkg.root.io.
Store your API token in a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault, or your CI/CD platform’s secrets store). Pass it to Docker builds using BuildKit secrets - never hard-code the token in your Dockerfile or commit it to version control.

Step 2: Configure Your Dockerfile

All examples use Docker BuildKit’s --mount=type=secret to pass the API key securely. The key never appears in any image layer.
Supported Ubuntu releases: focal, jammy, mantic, noble, oracularReplace noble in both the echo and sources.list.d lines with your distro codename.

Step 3: Build Your Image

Pass your API token as a BuildKit secret at build time:
Set the environment variable before building:
The --secret flag requires BuildKit. It ensures your API key is only available inside the RUN step that mounts it and never written to any image layer.

Step 4: Verify Installation

After building, confirm that Root-patched packages were installed:
You should see rootio-curl, rootio-git, etc. for every package that Root has a patched version available.

Step 5: CI/CD Integration


Troubleshooting

401 Unauthorized when running apt-get update Your API token is missing or invalid. Verify the secret is being passed correctly with --secret id=rootio_api_key,env=ROOTIO_API_KEY and that ROOTIO_API_KEY is set in your environment. rootio-<package> not found Root hasn’t patched this package yet. The fallback pattern (apt-cache show / apk search) ensures your build succeeds with the upstream version. You can request the package via the Root UI. GPG key import fails Ensure gnupg and ca-certificates are installed before importing the key. These must be installed from the upstream repository first. --secret flag not recognized BuildKit is not enabled. Prepend DOCKER_BUILDKIT=1 to your build command or set it as an environment variable.

What’s Next