Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Centos images could change between pulls #5

Closed
RobotCaleb opened this issue Nov 11, 2014 · 5 comments
Closed

Centos images could change between pulls #5

RobotCaleb opened this issue Nov 11, 2014 · 5 comments

Comments

@RobotCaleb
Copy link

I posted the following as docker-library/official-images#311, but I suspect that might be the wrong place for it.

(Apologies if this is the wrong spot for this issue)

Docker.com user vsipuli said it well:

Would it be possible to provide tags with minor (and perhaps even patch) versions? Currently it seems impossible to do repeatable builds with the CentOS images, because “centos:centos6” might change the minor version at any time.
@jperrin
Copy link
Collaborator

jperrin commented Nov 11, 2014

No worries about the wrong place. We actually stopped doing minor point releases, because people largely don't update. People were building containers that came with heartbleed and other vulnerabilities pre-installed by default because they wouldn't update.

The only variance introduced would largely be security and bugfix updates, which people should be doing anyway. If you can provide a convincing argument for minor releases, I'm certainly willing to reconsider. My current stance is that I don't want to enable people to be actively insecure in their containers.

@tianon tianon mentioned this issue Nov 11, 2014
Closed
@RobotCaleb
Copy link
Author

That all makes sense and I agree with all of your points. Let me revisit this when I've run into an issue instead of a hypothetical issue.
How frequently would the centos6 image change? Just with security updates?

@jperrin
Copy link
Collaborator

jperrin commented Nov 15, 2014

We respin the images monthly, usually around the 2nd-3rd of the month, so that it's a scheduled/regular thing people can know to expect. If there's a security issue that gets a name (heartbleed, shellshock, etc) obviously those are a bit more critical and warrant an update outside the normal schedule.

@djdefi
Copy link

djdefi commented Nov 18, 2014

We had this break an image build that was using centos:centos6 when it went from 6.5 to 6.6. The application we are running within the image is picky about what version of the OS is running (needs to be set in a config file)

It makes sense to have the :latest and major version tags be up to the latest release for security. Generally these are what are going to be used.

I still think that minor versions should be available.
That is part of the benefit of Docker and immutable infrastructure, to be able to pin to a certain version of the software. We can patch our own images for known vulnerabilities if we are using these versions.

@jperrin
Copy link
Collaborator

jperrin commented Jan 2, 2015

docker-library/official-images#384 Adds support for minor releases (6.6, 5.11, and 7.0.1406) along with short-name support (centos:6 vs centos:centos6). It should be in the index soon.

@jperrin jperrin closed this as completed Jan 2, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RobotCaleb @djdefi @jperrin