Base image rebuild questions
powersj opened this issue · comments
Hi,
With the recent glibc CVEs the question came up as to how our Telegraf images get rebuilt with the new base image. It is my understanding that the official images are re-built periodically, but I was curious as to:
- When these rebuilds are triggered?
- How these rebuilds are triggered?
- Can I as a package maintainer force a rebuild?
- Short of launching the image, is there a way to see the last time my image was rebuilt?
docker image inspect telegraf
and looking atCreated
?
Thanks!
- The rebuilds are triggered when a new versions of an image's base image is available
- These rebuilds are triggered by our build system leveraging bashbrew
- Package maintainers cannot force a rebuild, the automated system rebuilds everything as soon as it possibly can
- You can find when an image was last updated on Docker Hub, https://hub.docker.com/_/telegraf/tags
Thanks for the clarifications!
You can find when an image was last updated on Docker Hub, https://hub.docker.com/_/telegraf/tags
Is there a way to tell what changed or caused the push? For example, we pushed v1.29.4 yesterday. How can I tell if it was that update or a base image update?
Hello, thanks for the answer and the question.
To my understanding, there are 3 reasons why builds for official images occur :
- Dockerfile update 2. Base update 3. Periodic rebuilds
How often are the 'periodic rebuilds' triggered?
Is there a way to tell what changed or caused the push? For example, we pushed v1.29.4 yesterday. How can I tell if it was that update or a base image update?
If a change to the bashbrew file gets merged, you can check for the new tags it introduces. If you are a bit more adventurous, you can look through builds and their logs, https://doi-janky.infosiftr.net/job/multiarch/job/amd64/job/telegraf/ .
To my understanding, there are 3 reasons why builds for official images occur :
- Dockerfile update 2. Base update 3. Periodic rebuilds
How often are the 'periodic rebuilds' triggered?
There are no periodic rebuilds.
Debian and Ubuntu are both rebuilt periodically though (with an approximate cadence of at least once per month, give or take), which leads to your "base update" case for many images.
Edit: see also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves (which touches on this a little bit):
We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need, e.g. #2171. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is
FROM
them will also be rebuilt (as described in the projectREADME.md
file).
Thanks for the clarifications!