Dockerfile does not contain reproducible build

Question

Dockerfile does not contain reproducible build

c-nv-s opened this issue a year ago · comments

Dockerfile content does not contain instructions to build the binary but instead assumes a binary already exists in the folder and attempts to copy it.

It should instead contain steps to build the binary. Therefore using docker to pull from https://hub.docker.com/r/kailashnadh/otpgateway is pointless.

It is also very concerning for traceable builds considering that right now if you run ./otpgateway --version on the release builds it returns unknown

Kailash Nadh · Answer 1 · Sat Apr 08 2023 12:25:55 GMT+0800 (China Standard Time)

$ docker run --name test kailashnadh/otpgateway:latest
Unable to find image 'kailashnadh/otpgateway:latest' locally
latest: Pulling from kailashnadh/otpgateway

The Dockerfile here is used for packaging and publishing an image (to DockerHub) via the Goreleaser build process.

CC: @mr-karan

Karan Sharma · Answer 2 · Sat Apr 08 2023 19:13:04 GMT+0800 (China Standard Time)

Therefore using docker to pull from https://hub.docker.com/r/kailashnadh/otpgateway is pointless.

What is pointless about it? The docker images on Dockerhub have the same tags which are present on GitHub releases.

It is also very concerning for traceable builds considering that right now if you run ./otpgateway --version on the release builds it returns unknown

That's a separate issue. Typically make build should inject the buildString variable when doing go build but somehow that's not happening. Will take a closer look at it soon.

c-nv-s · Answer 3 · Sat Apr 08 2023 19:42:30 GMT+0800 (China Standard Time)

I am not saying it is pointless in a sense of trying to be confrontational, I mean pointless in that it will not yield the commonly expected result from a Dockerfile from a user perspective i.e.

git clone https://github.com/knadh/otpgateway
cd otpgateway
docker build . -t otpgateway:latest

that will fail because... as mentioned before... it doesn't actually build the otpgateway binary but expects an already built binary to be present.
Likewise, if you try to just pull the image from docker hub and run it, then it will fail:
docker pull kailashnadh/otpgateway && docker run -i -t -d kailashnadh/otpgateway

I might be mistaken, but I thought the main purpose of having a docker version of the app available was so you can reproduce exact working builds of the app.

Kailash Nadh · Answer 4 · Sun Apr 09 2023 11:35:25 GMT+0800 (China Standard Time)

The Dockerfile in the repo is specifically for Goreleaser for building+packaging+publishing to Dockerhub. Didn't have local Docker builds in mind.

Karan Sharma · Answer 5 · Sun Apr 09 2023 13:04:56 GMT+0800 (China Standard Time)

Likewise, if you try to just pull the image from docker hub and run it, then it will fail:
docker pull kailashnadh/otpgateway && docker run -i -t -d kailashnadh/otpgateway

Why will it fail?

c-nv-s · Answer 6 · Sun Apr 09 2023 23:41:17 GMT+0800 (China Standard Time)

sorry I never realised it had a goreleaser dependency.
tbh that is a little misleading for most docker users
fyi it would actually be useful to have a conventional dockerfile/compose.yml for this project too