Revert "Upgrade pre-installed packages in docker images" and Pin docker images by digest #2430
Conversation
|
Issue reopened: PDP-1799 Upgrade packages installed by default on docker images |
triarius
force-pushed
the
revert-2410-pdp-1799-upgrade-packages-installed-by-default-on-docker-images
branch
from
9d26b6a to
de43c1c
Compare
triarius
changed the title
triarius
force-pushed
the
revert-2410-pdp-1799-upgrade-packages-installed-by-default-on-docker-images
branch
from
de43c1c to
b5f8c5e
Compare
| @@ -1,4 +1,4 @@ | |||
| FROM golang:1.20.10@sha256:098d628490c97d4419ed44a23d893f37b764f3bea06e0827183e8af4120e19be | |||
| FROM public.ecr.aws/docker/library/golang:1.20.10@sha256:098d628490c97d4419ed44a23d893f37b764f3bea06e0827183e8af4120e19be | |||
Yeah, the story is a bit murky here. As noted in: dependabot/dependabot-core#2129 (comment), if we pinned the versions of apk/apt packages, the build will break after the package is upgraded in the repo as these repos typically only hold one version of each package. There may be some ways around this with caching docker layers, but that won't work consistently either with the way we currently keep the docker build cache local to each instance the builder agents run on. In theory, dependabot could detect the update and create a PR that builds successfully. But everyone's branches will be broken until they incorporate the changes in the dependabot PR. And dependabot will never create the new PR immediately, there is always going to be some lag between when packages are updated in the repos and dependabot runs. I think this will be a bad development experience. |
triarius
changed the title
triarius
deleted the
revert-2410-pdp-1799-upgrade-packages-installed-by-default-on-docker-images
branch
In #2410 I responded to a report that the system packages in our docker images were out of date by upgrading the system packages at build time. However, this has a notable disadvantage - the version in an image is now determined both by the commit of the build and the time that the build ran. So we have lost some reproducibility. So in this PR, we revert that.
However, we can do a bit better than the situation before. Previously, we only pinned the tags of the base image, for example we pinned the
ubuntuimage to the tag22.04. Dependabot would only update the image when a newer tag emerged, which is very infrequent in the case ofubuntu. However, maintainers of the base image regularly push newer images to the tag that we have pinned. This mutates the "digest" of the image, and dependabot is capable of detecting updates to the digest. So in this PR, we pin all docker base images by digest.Notably, this is MORE reproducible than the original situation, as it now two builds at the same commit will always use the same base image.
Reverts #2410