Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pin docker image versions to SHA digests in Dockerfile #291

Closed
wants to merge 2 commits into from
Closed

Pin docker image versions to SHA digests in Dockerfile #291

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6faee02
Pin docker image versions to SHA digests in Dockerfile
HauwaHakimi Feb 13, 2024
a741761
Merge branch 'ruby-3.2-multistage' into ENG-125-image-sha-digests
heathd Feb 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,22 @@
#TODO pin all versions to sha digest
#TODO add .dockerignore
FROM node:20.11-slim as nodebuilder
FROM node@sha256:ecc9a2581f8588014a49a523a9ed146d27963f6d988d11bd16bbdcb3598f5f98 as nodebuilder
WORKDIR /opt/app
COPY package-lock.json ./
COPY package.json ./
RUN npm install

FROM ruby:3.2 as rubybuilder
FROM ruby@sha256:ddc5729409d1d3222e74a5edb62d142ebd5fa47e9a98fc2905d66056eec6ae3b as rubybuilder
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this sha is also not correct... how have you been getting the shadigests?

RUN apt update -y && apt -y install rsync nano
RUN cp /usr/bin/nano /usr/local/bin/

WORKDIR /opt/app
COPY Gemfile Gemfile.lock ./
COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin
RUN rsync -a /usr/local/nodebin /usr/local/bin
RUN bundle install

FROM ruby:3.2-slim
FROM ruby@sha256:04da59d84a16b6db4a6663a6940a5142d79a50d8727acd00f10c3701cdeb46b0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

 docker pull ruby:3.2-slim
3.2-slim: Pulling from library/ruby
Digest: sha256:c09c3ea897b403f8fdd43957c3d3777aa2c0b991f4f4194b26cbfd9eb62fca33
Status: Image is up to date for ruby:3.2-slim
docker.io/library/ruby:3.2-slim

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've checked all 3.2-slims (3.2.3-slim, 3.2.2-slim, 3.2.1-slim, 3.2.0-slim) - none of them are the sha in the pull request. - what is this shadigest from?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tabroughton I used this command docker inspect --format='{{index .RepoDigests 0}}' ruby:3.2-slim. This is the output I have for ruby:3.2-slim. ruby@sha256:04da59d84a16b6db4a6663a6940a5142d79a50d8727acd00f10c3701cdeb46b0.
This is the stackoverflow link to the command.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tom, I think the sha Hauwa has used is from a ruby:3.2-slim image that was built on 7 Feb 2024 and updated on 13 Feb 2024. This can happen when eg. a package in the underlying OS is updated. You can see from the records in repo-info that the sha was current for the package on 7 Feb

WORKDIR /opt/app
COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle
COPY --from=rubybuilder /usr/local/bin /usr/local/bin
Expand Down
Loading