Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Base docker image for openhorizon/amd64_exchange-api is nondeterministic #652

Open
johnwalicki opened this issue Nov 8, 2022 · 4 comments
Open

Base docker image for openhorizon/amd64_exchange-api is nondeterministic #652

johnwalicki opened this issue Nov 8, 2022 · 4 comments

Comments

@johnwalicki
Copy link
Member

The registry.access.redhat.com/ubi9-minimal:latest will vary over time as :latest changes every few weeks/months. Red Hat releases these ubi images on their schedule. This does not allow us to build and rebuild the Open Horizon exchange container with reliable results. That is especially important if we want to fork a branch for LTS or commercial product reasons.

exchange-api/build.sbt

Line 108 in f7f010c

dockerBaseImage := "registry.access.redhat.com/ubi9-minimal:latest",

I propose we pin the Docker base image registry.access.redhat.com/ubi9-minimal:latest to a specific version. Then, the Open Horizon team can make an overt decision when, and if, the base image is built on a particular version. We can submit a PR to rebase and test on our release schedules.

As of 11/07/2022, the current ubi9-minimal version is 9.0.0-1687
@johnwalicki johnwalicki changed the title Base docker image for build.sbt is nondeterministic Base docker image for openhorizon/amd64_exchange-api is nondeterministic Nov 8, 2022
@naphelps
Copy link
Member

naphelps commented Nov 8, 2022

@johnwalicki I agree that using a specific version tag can be useful for branched releases of the Exchange, I am not sure this is beneficial as the default or for master. The Sbt setting in question can be overwritten at anytime during build-time. This allows any parties' devops team to synchronize and make an overt decision on what base image the Exchange uses for its container, regardless of where the source was pulled/forked from in the repository.

@johnwalicki
Copy link
Member Author

ubi9.1 image is now available.

registry.access.redhat.com/ubi9-minimal:9.1.0-1656

@johnwalicki
Copy link
Member Author

I still think pinning the exchange to specific UBI releases is a good idea so that we can be deterministic about the builds.
It answers the SBOM question definitively.

@bencourliss
Copy link
Member

@johnwalicki I would highly suggest not doing this as it means we do not pull in the latest security fixes during the build process. You can determine the version of the UBI base image used in a given Exchange-API container image by using skopeo inspect and looking at the url label which should show the actual version.

$ skopeo inspect docker://openhorizon/amd64_exchange-api:testing
{
    "Name": "docker.io/openhorizon/amd64_exchange-api",
    "Digest": "sha256:db0d9e1cfd5b253c0e5e58b1bb445c7bb8003ba2d8dbbeb7dcb65e0d340e54e6",
...
    "Created": "2023-06-15T03:14:46.355993605Z",
    "DockerVersion": "",
    "Labels": {
        "architecture": "x86_64",
        "build-date": "2023-05-03T08:55:50",
        "com.redhat.component": "ubi9-minimal-container",
...
        "name": "amd64_exchange-api",
        "release": "2.114.0",
        "summary": "Open Horizon exchange-api image",
        "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi9-minimal/images/9.2-484",
        "vendor": "Open Horizon",
        "version": "2.114.0"
    },
    "Architecture": "amd64",
    "Os": "linux",
...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bencourliss @johnwalicki @naphelps