Move to immutable identifiers

[ejholmes]

This is a ways off, but something to keep on radar. Docker 1.6 will support immutable identifiers. See moby/moby#11109

[ejholmes]

It would be nice if we could fast track this. Currently the sentence:

Empire doesn't enforce how you tag your Docker images

Isn't true, because we resolve the tag to the image id, then use that to create the slug. Removing this constraint means you can deploy any image that's in a docker registry, which is pretty awesome.

[ejholmes]

I spiked into this a little on friday. Turns out, the immutable identifiers are not very useful and difficult to actually use. If you pull an image by tag, you have no way of telling what the identifier is after the fact.

I think a better first step would be to just disable the resolving and caching for slugs. If I deploy remind101/acme-inc:latest then the new slug should just be created with the remind101/acme-inc:latest tag. This would work fine for us, since we'll always deploy with a git sha as the tag, which will work as our immutable identifier, and this will allow us to stop tagging images with the image id. The only downside is the extra time to extract the procfile if the image id has already been extracted, but I think that's a worthwhile tradeoff.

[ejholmes]

Gonna close this as a wontfix for now, mainly because @sha256 isn't supported in ECS and this hasn't felt like a real problem.

[ejholmes]

I'm re-opening this, since it's now supported in ECS as of ~May: aws/amazon-ecs-agent#104 (comment)

I think this is pretty important from a security perspective, since digests solve various attack vectors like mitm attacks, or credential exposure of your registry.