Base image rebuild questions

Question

Base image rebuild questions

powersj opened this issue 5 months ago · comments

Hi,

With the recent glibc CVEs the question came up as to how our Telegraf images get rebuilt with the new base image. It is my understanding that the official images are re-built periodically, but I was curious as to:

When these rebuilds are triggered?
How these rebuilds are triggered?
Can I as a package maintainer force a rebuild?
Short of launching the image, is there a way to see the last time my image was rebuilt? docker image inspect telegraf and looking at Created?

Thanks!

David Dooling · Answer 1 · Fri Feb 02 2024 05:10:53 GMT+0800 (China Standard Time)

The rebuilds are triggered when a new versions of an image's base image is available
These rebuilds are triggered by our build system leveraging bashbrew
Package maintainers cannot force a rebuild, the automated system rebuilds everything as soon as it possibly can
You can find when an image was last updated on Docker Hub, https://hub.docker.com/_/telegraf/tags

Joshua Powers · Answer 2 · Fri Feb 02 2024 05:16:43 GMT+0800 (China Standard Time)

Thanks for the clarifications!

You can find when an image was last updated on Docker Hub, https://hub.docker.com/_/telegraf/tags

Is there a way to tell what changed or caused the push? For example, we pushed v1.29.4 yesterday. How can I tell if it was that update or a base image update?

smgtkn · Answer 3 · Fri Feb 02 2024 05:38:07 GMT+0800 (China Standard Time)

Hello, thanks for the answer and the question.
To my understanding, there are 3 reasons why builds for official images occur :

Dockerfile update 2. Base update 3. Periodic rebuilds
How often are the 'periodic rebuilds' triggered?

David Dooling · Answer 4 · Fri Feb 02 2024 05:47:48 GMT+0800 (China Standard Time)

Is there a way to tell what changed or caused the push? For example, we pushed v1.29.4 yesterday. How can I tell if it was that update or a base image update?

If a change to the bashbrew file gets merged, you can check for the new tags it introduces. If you are a bit more adventurous, you can look through builds and their logs, https://doi-janky.infosiftr.net/job/multiarch/job/amd64/job/telegraf/ .

To my understanding, there are 3 reasons why builds for official images occur :

Dockerfile update 2. Base update 3. Periodic rebuilds
How often are the 'periodic rebuilds' triggered?

There are no periodic rebuilds.

Tianon Gravi · Answer 5 · Fri Feb 02 2024 05:52:01 GMT+0800 (China Standard Time)

Debian and Ubuntu are both rebuilt periodically though (with an approximate cadence of at least once per month, give or take), which leads to your "base update" case for many images.

Edit: see also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves (which touches on this a little bit):

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need, e.g. #2171. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file).

Joshua Powers · Answer 6 · Sat Feb 03 2024 04:09:50 GMT+0800 (China Standard Time)

Thanks for the clarifications!