-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use --pull flag when building images for releases #1293
Conversation
🚲 PR staged at http://34.27.45.93 |
|
|
||
log "Pushing: ${image}" | ||
docker push "${image}" | ||
|
||
if [ $svcname != "frontend" ] && [ $svcname != "loadgenerator" ] | ||
then | ||
log "Building: ${image}-native-grpc-probes" | ||
docker build -t "${image}-native-grpc-probes" . --target without-grpc-health-probe-bin | ||
docker build --pull -t "${image}-native-grpc-probes" . --target without-grpc-health-probe-bin | ||
log "Pushing: ${image}-native-grpc-probes" | ||
docker push "${image}-native-grpc-probes" | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Context:
- This
hack/make-docker-images.sh
script is run whenever we create a new release of Online Boutique. - It builds (and pushes) the images at gcr.io/google-samples/microservices-demo.
I'm a little bit confused how that could've happened -- is the implication that the base image tag we're using ( |
Great question, @bourgeoisor! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Ideally this wouldn't be needed, but we can't control external Docker image tags getting overwritten 😅
@bourgeoisor @NimJay in the future, we may want to use hash instead of tag to avoid this kind of issue. No rush on this, but maybe something for the future :) |
Background
emailservice:v0.4.2
still contained the same # of CVEs asemailservice:v0.4.1
.emailservice:v0.4.2
.emailservice
's base Docker images — which my local machine was caching when I initially builtemailservice:v0.4.2
.--pull
flag is explained here. It makes sure the base Docker image is pulled (not from local cache but from the registry) when wedocker build
.Change Summary
--pull
flag to ensure that the base Docker images is pulled from the registry (not my local cache) when container images are built.Testing Procedure
v0.4.2
.emailservice
on our Google Container Registry, you'll see thatv0.4.2
has one less vulnerability thanv0.4.1
, which means the base images was pulled (not from cache) when I buildemailservice
on my local machine.