Base image rebuild questions

[powersj]

Hi,

With the recent glibc CVEs the question came up as to how our Telegraf images get rebuilt with the new base image. It is my understanding that the official images are re-built periodically, but I was curious as to:

• When these rebuilds are triggered?
• How these rebuilds are triggered?
• Can I as a package maintainer force a rebuild?
• Short of launching the image, is there a way to see the last time my image was rebuilt? docker image inspect telegraf and looking at Created?

Thanks!

[whalelines]

1. The rebuilds are triggered when a new versions of an image's base image is available
2. These rebuilds are triggered by our build system leveraging bashbrew
3. Package maintainers cannot force a rebuild, the automated system rebuilds everything as soon as it possibly can
4. You can find when an image was last updated on Docker Hub, https://hub.docker.com/_/telegraf/tags

[powersj]

Thanks for the clarifications!

You can find when an image was last updated on Docker Hub, https://hub.docker.com/_/telegraf/tags

Is there a way to tell what changed or caused the push? For example, we pushed v1.29.4 yesterday. How can I tell if it was that update or a base image update?

[smgtkn]

Hello, thanks for the answer and the question.
To my understanding, there are 3 reasons why builds for official images occur :

1. Dockerfile update 2. Base update 3. Periodic rebuilds
   How often are the 'periodic rebuilds' triggered?

[whalelines]

Is there a way to tell what changed or caused the push? For example, we pushed v1.29.4 yesterday. How can I tell if it was that update or a base image update?

If a change to the bashbrew file gets merged, you can check for the new tags it introduces. If you are a bit more adventurous, you can look through builds and their logs, https://doi-janky.infosiftr.net/job/multiarch/job/amd64/job/telegraf/ .

To my understanding, there are 3 reasons why builds for official images occur :

1. Dockerfile update 2. Base update 3. Periodic rebuilds
   How often are the 'periodic rebuilds' triggered?

There are no periodic rebuilds.

[tianon]

Debian and Ubuntu are both rebuilt periodically though (with an approximate cadence of at least once per month, give or take), which leads to your "base update" case for many images.

Edit: see also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves (which touches on this a little bit):

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need, e.g. #2171. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file).

[powersj]

Thanks for the clarifications!