Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automate updating images that have infrequent base image updates #988

Closed
lbussell opened this issue Mar 21, 2024 · 2 comments · Fixed by #1010
Closed

Automate updating images that have infrequent base image updates #988

lbussell opened this issue Mar 21, 2024 · 2 comments · Fixed by #1010
Assignees
@mthalman
Labels
area-dockerfiles enhancement

Comments

@lbussell
Copy link
Contributor

Let's take CentOS 7 for example: https://github.com/dotnet/dotnet-buildtools-prereqs-docker/blob/main/src/centos/7/Dockerfile

CentOS 7's EOL is June 30, 2024. Its package feeds are still being updated daily, see here. However, our base image for that OS, centos:7 was last updated in 2021 (!).

docker inspect centos:7 | grep Created
        "Created": "2021-09-15T18:20:23.99863383Z"

By our current auto-re-building standards, this image is "up-to-date". However, there's no doubt the packages we don't install as part of the Dockerfile above are way out of date. We should come up with a system that lets us use the up-to-date packages in our buildtools-prereqs containers so that the images are more secure.

This could possibly be taken care of by dotnet/dotnet-docker#1455, but that is a more general solution.

Off the top of my head, this could be accomplished by:

  1. Architecting the (at-risk) buildtools-prereqs Dockerfiles to have a multi-stage build, where all packages on the base system are updated in a separate layer and used as a base layer. The base image layer can be "squashed" so that the image doesn't contain any unnecessary filesystem duplication (not an explicit Docker feature any more, but see https://stackoverflow.com/a/77052183/13771378 for how this can be done now).
  2. Make some adjustments to the auto-builder so that it re-builds images that haven't been built in a given amount of time (a week, say).

With the above two features in place, if there aren't frequent updates to a base image, we'd get automatic rebuilds with updated packages.
@github-project-automation github-project-automation bot moved this to Backlog in .NET Docker Mar 21, 2024
@lbussell
Copy link
Contributor Author

lbussell commented Mar 21, 2024
edited
Loading

[Triage] We should make the Dockerfile changes as described above, and then instead of making changes to the auto-rebuilding functionality, just run the centos pipeline on a schedule while CentOS 7 is still in support. Rebuilding too frequently and rebuilding Stream 8 and 9 on a schedule is not a huge concern since these images are used in CI and are usually pulled every time they are run. This also applies to Alma Linux.

@lbussell lbussell moved this from Backlog to Current Release in .NET Docker Mar 21, 2024
@mthalman
Copy link
Member

The almalinux:8 tag is still supported. See https://hub.docker.com/_/almalinux. It was last updated just a week ago. So I'm not doing anything special for that.

@mthalman mthalman self-assigned this Apr 18, 2024
@mthalman mthalman moved this from Current Release to In Progress in .NET Docker Apr 18, 2024
@mthalman mthalman mentioned this issue Apr 19, 2024
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in .NET Docker Apr 19, 2024
@lbussell lbussell mentioned this issue Nov 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mthalman mthalman

Labels
area-dockerfiles enhancement
Projects
.NET Docker
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Get centos:7 images updated mthalman/dotnet-buildtools-prereqs-docker
2 participants
@mthalman @lbussell