Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auto-update docker dependency image SHAs #118

Closed
siggy opened this issue Jan 8, 2018 · 2 comments
Closed

Auto-update docker dependency image SHAs #118

siggy opened this issue Jan 8, 2018 · 2 comments
Assignees
@siggy
Labels
area/build

Comments

@siggy
Copy link
Member

siggy commented Jan 8, 2018

Followup from #115.

The Rust proxy and Go Docker images rely on base dependency images with
hard-coded SHA's:

gcr.io/runconduit/go-deps depends on

  • Gopkg.lock
  • Dockerfile-go-deps

gcr.io/runconduit/proxy-deps depends on

  • Cargo.lock
  • proxy/Dockerfile-deps

If any of these files change, we should auto-update all relevant Dockerfile's:

GO_DEPS_SHA=$(sh -c ". bin/_tag.sh && go_deps_sha")
PROXY_DEPS_SHA=$(sh -c ". bin/_tag.sh && proxy_deps_sha")

find . -type f -name 'Dockerfile*' -exec sed -i '' -e 's/gcr\.io\/runconduit\/go-deps:[^ ]*/gcr\.io\/runconduit\/go-deps:'$GO_DEPS_SHA'/g' {} \;
find . -type f -name 'Dockerfile*' -exec sed -i '' -e 's/gcr\.io\/runconduit\/proxy-deps:[^ ]*/gcr\.io\/runconduit\/proxy-deps:'$PROXY_DEPS_SHA'/g' {} \;
@olix0r
Copy link
Member

olix0r commented Jan 8, 2018

At that point, is there any advantage to using fixed tags in the dockerfiles? We can accomplish the same thing using a symbolic tag and making the scripts ensure the symbolic tag is up-to-date.

@siggy
Copy link
Member Author

siggy commented Jan 8, 2018
edited
Loading

Per offline convo, the requirements:

  • don't allow ci to auto-update files
  • when the SHAs in the Dockerfile's are out of sync with the source tree, consider it a dirty build, and fail ci
  • updating the SHAs is the responsibility of the person who made the dependency changes, make it easy and obvious how to update the SHAs

@siggy siggy self-assigned this Jan 9, 2018
siggy added a commit that referenced this issue Jan 9, 2018
@siggy
Fail the build if dep images are out of sync.
8d083e8 
Previously if dependencies changed but dep image SHAs were not updated,
the build could succeed, creating docker images with indeterminate
dependencies.

This change checks the dependency image SHAs hard-coded in Dockerfile's
against the current source tree. If the SHAs do not match, the build
fails.

Fixes #118
@siggy siggy mentioned this issue Jan 9, 2018
Merged
@siggy siggy added the review/ready Issue has a reviewable PR label Jan 9, 2018
siggy added a commit that referenced this issue Jan 9, 2018
@siggy
Fail the build if dep images are out of sync.
3e6b0a2 
Previously if dependencies changed but dep image SHAs were not updated,
the build could succeed, creating docker images with indeterminate
dependencies.

This change checks the dependency image SHAs hard-coded in Dockerfile's
against the current source tree. If the SHAs do not match, the build
fails.

Fixes #118

Signed-off-by: Andrew Seigner <andrew@sig.gy>
siggy added a commit that referenced this issue Jan 10, 2018
@siggy
Fail the build if dep images are out of sync.
9d8cfa0 
Previously if dependencies changed but dep image SHAs were not updated,
the build could succeed, creating docker images with indeterminate
dependencies.

This change checks the dependency image SHAs hard-coded in Dockerfile's
against the current source tree. If the SHAs do not match, the build
fails.

Fixes #118

Signed-off-by: Andrew Seigner <andrew@sig.gy>
siggy added a commit that referenced this issue Jan 10, 2018
@siggy
Fail the build if dep images are out of sync.
dbdc202 
Previously if dependencies changed but dep image SHAs were not updated,
the build could succeed, creating docker images with indeterminate
dependencies.

This change checks the dependency image SHAs hard-coded in Dockerfile's
against the current source tree. If the SHAs do not match, the build
fails.

Fixes #118

Signed-off-by: Andrew Seigner <andrew@sig.gy>
siggy added a commit that referenced this issue Jan 10, 2018
@siggy
Fail the build if dep images are out of sync.
f55b9bc 
Previously if dependencies changed but dep image SHAs were not updated,
the build could succeed, creating docker images with indeterminate
dependencies.

This change checks the dependency image SHAs hard-coded in Dockerfile's
against the current source tree. If the SHAs do not match, the build
fails.

Fixes #118

Signed-off-by: Andrew Seigner <andrew@sig.gy>
siggy added a commit that referenced this issue Jan 10, 2018
@siggy
Fail the build if dep images are out of sync. (#123)
1d1b3c5 
Previously if dependencies changed but dep image SHAs were not updated,
the build could succeed, creating docker images with indeterminate
dependencies.

This change checks the dependency image SHAs hard-coded in Dockerfile's
against the current source tree. If the SHAs do not match, the build
fails.

Fixes #118

Signed-off-by: Andrew Seigner <andrew@sig.gy>
@siggy siggy removed the review/ready Issue has a reviewable PR label Jan 10, 2018
khappucino pushed a commit to Nordstrom/linkerd2 that referenced this issue Mar 5, 2019
@olix0r
Upgrade trust-dns-resolver to 0.10.0 (linkerd#118)
0b6e358
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 18, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@siggy siggy

Labels
area/build
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@siggy @olix0r