New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dockerfiles: Upgrade packages on BASE_IMAGE. #2126
Conversation
dba66fa
to
caa80ca
Compare
It will definitely help avoid CVEs in the base image. The only tricky bit I would like to understand is how docker cache in the CI will behave. Essentially everything people experienced here: moby/moby#3313. |
This avoids releasing an image with CVE. Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
caa80ca
to
133e25d
Compare
OK... |
Agreed. I am not sure how much time are we getting out of cache anyways. Probably not a lot! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks for handling feedback. Please wait for another review before merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure why it's something we should take care of. Shouldn't it be done by the base image publisher?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure why it's something we should take care of. Shouldn't it be done by the base image publisher?
Indeed, but they do not.
I think they only upgrade the base image when the distro is updated (e.g. passing from 12.1 to 12.2).
So, we can indeed wait for a distro update and wait again for this update to be propagated to the docker image, but that's a lot of waiting where we get a flawed image.
So, let's take the bull by the horns and handle it ourselves: on n'est jamais mieux servi que par soi-même !
Moreover, I think this whole thing is temporary as my final plan is to switch to distroless.
Nonetheless, this will not solve the waiting problem, but at least there will be less packages to care about and we would not have a package manager so need for this ¯\_(ツ)_/¯
.
OK, I will close it as the images were updated and the flawed libraries is no more here: |
I totally agree with this, it'll avoid a lot of pain for us. |
This avoids releasing an image with CVE.