Building an Envoy Docker image

The following steps guide you through building your own Envoy binary, and putting that in a clean Ubuntu container.


These instructions run commands in Docker using ci/

By default this will place bazel run files and any artefacts in /tmp/envoy-docker-build.

You can override this by setting the ENVOY_DOCKER_BUILD_DIR env var to a path of your choosing.

Step 1: Build Envoy

Using envoyproxy/envoy-build you will compile Envoy. This image has all software needed to build Envoy. From your Envoy directory:

$ pwd
$ ./ci/ './ci/ release'

That command will take some time to run because it is compiling an Envoy binary and running tests.

If your system has limited resources, or you wish to build without running the tests, you can also build as follows:

$ pwd
$ ./ci/ './ci/ release.server_only'

For more information on building and different build targets, please refer to ci/


These instructions for building Envoy use envoyproxy/envoy-build-ubuntu image. You will need 4-5GB of disk space to accommodate this image.

This script runs as effective root on your host system.

Step 2: Build image with only Envoy binary

In this step we’ll build the Envoy deployment images.


The docker CI target expects a release tarball to have been built previously using one of the steps above.

In order to build Docker inside the Envoy build image we need to set the env var ENVOY_DOCKER_IN_DOCKER

$ pwd
$ ENVOY_DOCKER_IN_DOCKER=1 ./ci/ './ci/ docker'

Now you can use the Envoy image to build the any of the sandboxes by changing the FROM line in a related Dockerfile.

This can be particularly useful if you are interested in modifying Envoy, and testing your changes.