Rebuilding existing tags for base image upgrades
veselov opened this issue · 3 comments
Suppose that an image for a tomcat version is published, let's say 9.0.50, let's say on 2021-09-01.
Suppose that later the base image was modified, to address a vulnerability, say on 2021-10-01.
There won't be any way to get a 9.0.50 tomcat on the updated image, right?
This is sort of OK if there is a newer tomcat image, for the same major version, but if there isn't, it seems that there isn't a good way out of this, except for may be updating the packages inside the O/S when building your own image on top of the Tomcat image.
We've ran into this situation, and I'm generally wondering what is the right approach for this.
Is it possible that all existing images are made to be rebuilt regularly, or when detecting the base image changes?
Though I can imagine this will mean a lot of rebuilding...
Background:
Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image
FROM debian:busterwould be rebuilt whendebian:busteris built).
Official Images FAQ:
Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame
Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.
We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.
- from the same FAQ link
So, yes we do rebuild the official images when the base images are updated and the base images (at least Debian and Ubuntu) are updated about every 30 days.
Though I can imagine this will mean a lot of rebuilding...
Yup, the Debian images were updated yesterday and the build queue is very full (https://doi-janky.infosiftr.net/).
OK, so AFAIU then, when rebuild does happen, it only rebuilds the latest minor version of the tomcat image for all tracked versions (based on https://doi-janky.infosiftr.net/job/multiarch/job/amd64/job/tomcat/)
I guess it would be extremely taxing to rebuild for all Tomcat versions ever built.
So for downstream, folks really should be using major version tags.
This can be problematic for cases when applications pulled into the containers later have a specific requirement for the Tomcat version, as it may be not known in advance. But all of this are really problems that the downstream has to solve :)