Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace Alpine with Wolfi as primary server container image, consolidating Alpine agent images #12500

Merged
merged 1 commit into from Feb 4, 2024
Merged

Replace Alpine with Wolfi as primary server container image, consolidating Alpine agent images #12500

merged 1 commit into from Feb 4, 2024

Conversation

chadlwilson
Copy link
Member

@chadlwilson chadlwilson commented Feb 4, 2024
edited

This PR does a few things.

  • Replaces the primary gocd-server base image with Wolfi from Chainguard: https://edu.chainguard.dev/open-source/wolfi/overview/ - a minimal highly secure "undistro" with rapid patching of packages and a small footprint.
    • Alpine's use of musl libc along with our use of the Tanuki Service Wrapper prevents creation of arm64 images as noted in Provide arm64/aarch64 Alpine agent container image variants #11355 which is not great for our default server container image. I'd like for the default to be a lot smaller than Centos 9 (unofficial alternate image) and work on arm64/aarch64 by default.
    • Currently we are installing glibc on Alpine to make the JVM work with Tanuki which is not recommended, potentially unstable, and considered a bad idea by the Alpine community potentially opening security holes and confused library loading for other native software running in the container.
  • Introduces a rolling/continuous wolfi agent image gocd-agent-wolfi as the preferred "minimal/secure" image, available for both arm64 and x64
  • Changes Alpine agent images to a single rolling release gocd-agent-alpine rather than every Alpine release.
    • Alpine releases every 6 months with support for 2 years, which means constant churn maintaining these images/repos since they don't use tags within a repo and having to support and test 4 different variants at once. That's not worth the effort given at the moment I am basically sole maintainer.
    • Alpine has very good backward compatibility, and very rarely is there a compatiblity problem with new versions that prevents rolling forward.
    • Alpine often doesn't port new versions of APKs to old releases, meaning you really need to stay current to get new versions of tools
    • The GoCD agent images are really just a bootstrapper; so folks can usually keep using an older version agent image with a newer server if they need to for a while, if they want to stick to an older Alpine version after GoCD has moved forward.

@chadlwilson chadlwilson added this to the Release 24.1.0 milestone Feb 4, 2024
@chadlwilson
Introduce Wolfi as server image base & agent option
c55a8b4 
- Build only a single continuously updating Alpine agent image variant
- nitpick: docker image > container image
@chadlwilson chadlwilson changed the title Replace Alpine with Wolfi as primary server container image base Replace Alpine with Wolfi as primary server container image Feb 4, 2024
@chadlwilson chadlwilson marked this pull request as ready for review February 4, 2024 15:16
@chadlwilson chadlwilson changed the title Replace Alpine with Wolfi as primary server container image Replace Alpine with Wolfi as primary server container image, consolidating Alpine agent images Feb 4, 2024
@chadlwilson chadlwilson merged commit 846b80d into gocd:master Feb 4, 2024
6 checks passed
@chadlwilson chadlwilson deleted the wolfi branch February 4, 2024 15:21
@chadlwilson chadlwilson mentioned this pull request Feb 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
container-images
Projects
None yet
Milestone
Release 24.1.0
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@chadlwilson