Version pinning support? #686
Comments
|
You can pin to a specific hash. This is just the first link I found, but it has details on it: |
|
Sure. Can we agree this is not ideal though? Its difficult to discover what configuration a particular hash corresponds to and discovering new versions is painful at best. It would be nice if I could see a git tag in this repo that corresponds to the image I'm actually running. |
|
At least for gcr.io/distroless/base-debian10, it seems like they are tagged by commit. But this isn't the case for all images? Why? |
|
It seems only Lines 36 to 38 in 1e4a8bb The tagging by $COMMIT_SHA should be done in the cloudbuild_docker.sh, methinks. |
|
IMHO, I doubt tagging images with git commit SHAs will help people easily find which images have which versions of packages that they want to use. If we add git commit SHAs to every image that we publish whenever a PR is merged, the user will just see the wall of git commit SHAs, which is not different from the current state where they just see the same wall of image SHAs. (I mean, of course it's easy to check package versions if you choose one image with a git SHA, but it doesn't help the user find which image to use.) For the other direction where the user starts with the git history, it's still cumbersome to look up which git commit the user should pick to find an image with the package versions they want. |
|
@springroll12 You can't really pin to a tag as tags are mutable and may change; even if we did incorporate dates into the tag, there's no real guarantee that they might not accidentally change. @loosebazooka's suggestion of pinning to a particular digest, and you periodically updating it, is the only workable solution. @chanseokoh good point on the wall of shas. OCI defines some labels/annotations that could be used for this purpose instead of adding a $COMMIT_SHA tag. |
|
I think the wall of SHAs is a pretty decent UX, honestly. You can just pick an arbitrary commit for distroless and easily discover which image corresponds to that commit. Given that distroless doesn't have releases (and thus no corresponding tags), this is the most obvious way to organize images, IMO. I think annotations are also a good idea, because it's often the case that you know an image digest but might have lost the tag. Being able to map from the image back to the distroless commit is wonderful. If we're going to start annotating images, I'd also include (Similar argument for labels, btw, because docker throws away the manifest... so having the the commit in the config file is useful as well...) |
|
@briandealwis are you talking about git tags or docker tags? I realize pinning to a particular digest is the only way forward at this point, but that is why I created this issue. Plenty of other base images provide versioning for their generated images, why not distroless? @chanseokoh I agree. My preference would be definitive release tags (like other image systems use). Git tags, while mutable are better than nothing in my view. The issue with docker image digests is it's difficult to tie that back to the code that built that image, so git tags or git commit SHA are slightly better in my view. |
|
@jonjohnsonjr "given that distroless doesn't have releases" .. I think this is the crux of it. Why doesn't distroless have releases? It would be much more transparent. |
That's a great question, and I think the answer is partially cultural and partially technical. Culturally, Google doesn't really have releases internally. Everything just "lives at HEAD" in the monorepo. Of course, this is much less tenable in open source. We have no clue if external dependents of distroless get broken by a change because there isn't really a monorepo, so it would be nice if there were releases that folks could rely on. I'd say that this would actually be not good, because people might pin to releases, and given the constant influx of security fixes that go into distroless, I think pinning to specific releases is probably not a great idea. Of course, this is possible with docker by pinning the digest, and that makes sense in a lot of cases, but not always... From a technical perspective, distroless is just syncing changes from debian every day at 8:30 using this script. It doesn't really make sense to have separate releases within distroless, because it's mostly just a projection of debian packages into a container image. If you look at the most recent sync (https://github.com/GoogleContainerTools/distroless/pull/687/files), you can see that the only version information that really exists is debian9 vs debian10, the These are more or less "living" versions, and I don't think distroless could reasonably have a "release" that is any more meaningful than just the commit, unless we have a release for every snapshot update, which would involve a (potentially) daily release cadence. Maybe that's what you want? It might also make sense to just tag each image with the |
|
RE: Pinning to releases being "not good"... I disagree. As much as I admire the "100% rolling" culture at google, this is not tenable for most organizations. In highly regulated environments like healthcare or finance it is crucial to have visibility into exactly what is deployed at all times. Having a base image that can update underneath you between CI builds is a recipe for disaster, especially for small teams. While it's nice to assume that every team has their CI tests prepared for such scenarios, the reality is that many teams do not have the resources to test daily changes to the base container for X microservices. It sounds to me like distroless does daily releases, so would it make sense to tag these with a timestamp? That way versions can be pinned and organizations can make their own assessments about when to upgrade (daily, weekly, etc). This would allow security fixes to be applied using existing workflows. |
I think we mostly agree here, but it really depends on the context. In most cases, I'm going to strongly advocate for users pinning their dependencies for all the reasons I'm sure you already understand. In fact, I've spent a long time pushing back on customer and community requests for "immutable tags" in GCR, because it needlessly introduces a need to trust the registry not to lie to you. We already have digests in the API, which give you cryptographic guarantees of immutability instead of requiring you to trust me never to change something. For knative/serving, I helped implement the tag -> digest resolution at deploy time to paper over the terrible default behavior in kubernetes. You can also find me yelling at people all over the internet about how the lackadaisical attitude around this is a huge problem. However... for the casual consumer of distroless, I think it's better to just live at HEAD and hope for the best, because your'e going to get security patches and bug fixes for free. I agree that it would be nice if there were a bit more transparency around the versioning of distroless, but I worry a bit that publishing tags would encourage folks to pin to those tags, even though they would essentially never get updated. Of course, just living at HEAD is a terrible strategy for production, so I would expect teams to snapshot their dependencies by digest and have gating mechanisms for upgrading to new versions of public content. So, an obvious improvement here (for transparency) would be to include at least the commit in distroless labels and/or annotations, as brian suggested. The commit would allow you to discover the |
|
All valid points. At this point is seems like the path is set and I'm tilting at windmills, but let me try to respond anyway. I guess it is true that if the labels/annotations were present it would be possible to locate the git-sha, but this is not particularly great DX. In my view its much easier to open the Dockerfile and look at the FROM line than to inspect a container/image for labels. I can't argue that immutability is not useful, but I think we need to balance that against discoverability.
Exactly. As a team member who is responsible for many facets of development, the time it takes to discover which image to upgrade to for N microservices is non-trivial. Why not provide tags/releases with definitive changelogs that make it easy to discover which image (digest?) to upgrade to? (Maybe these could be stolen from debian?) This leads to fewer snapshot upgrades as well, since teams might not know when a critical release has occurred which should force an upgrade.
These mechanisms are not mutually exclusive. Definitive version tags can coexist with rolling versions (see |
I'm not trying to convince you otherwise, I'm just describing the limitations we have w.r.t. debian's releases. We seem to agree on the ideal state of things, but I don't think that ideal state is achievable without some help. I don't have the familiarity with debian to really make this much better, unfortunately. I know there are point releases for debian, but I'm not sure how those actually map to the snapshots distroless currently uses. It may be the case that we want something like a I guess the reason we don't have releases or versions is that it's not completely obvious what we should do about it. Also, while distroless currently relies on debian releases, it's unclear if that will always be the case, so exposing debian versions in the distroless versioning scheme might not be a great idea. On the other hand, inventing and maintaining a separate versioning scheme for distroless seems hard to get right and would require some careful thought.
This is a sore point for me, but in a lot of contexts there is no FROM line and there is no Dockerfile, e.g. when using rules_docker, which is what distroless uses. Of course I'd be fine with all three of these (tag + annotation + label) because it would make my life easier 😄 it's just a matter of doing the work and getting consensus. Above I did mention that I would be in favor of tagging every image with the commit. It looks like the commit tags currently point to the amd64 images only and not the corresponding multi-platform image (unfortunately). This seems like something that could be fixed.
@imjasonh and I are trying to improve that a bit over in OCI world, if you can spare the time to provide some feedback or support: opencontainers/image-spec#822
This would certainly be nice to have. I think it's a bit easier to automate the distroless image builds than it would be to automate GitHub releases. I also feel like having GitHub releases would be somewhat confusing -- do these map to changes to how distroless works, or to the debian upstream versions? It seems to be that debian has just a Where anytime distroless gets modified without changing the underlying package checksums, we bump the patch version to signal a change?
Definitely, but in this case I believe the only rolling version we really have is I guess to get really concrete about it, this is what I'd personally (not speaking from any place of authority or making any promises) like to see:
Instead of changing the meaning of Part of me wants to reorganize the repos a little bit as well to make this make more sense, but that might be too much of a breaking change. Ideally Now... that's a lot of changes to make, and a lot of code to write, and a lot of machinery to maintain. I don't have the debian expertise to actually make this happen, so I'm not going to implement it myself. I think if someone were to write up a proposal and willing to do the work to make this happen, it might happen, but I don't know anyone who is willing to do this work at the moment. |
|
I'm in favor of tagging/labeling/annotating everything with commit shas back to this repo. I think the complaint here is really about the way debian handles versioning. I do not want to try to build a versioning system on top of the existing Debian versioning system, which isn't designed to work this way. Distroless attempts to follow Debian in a predictable way - it does not attempt to build a distro of itself on top of debian. |
|
+1 to @springroll12 idea of tagging every image with a version tag + timestamp/snapshot/git versions/sequential number. I think the key point is to being able to have an history and being able to find the debian-WHATEVER versions. The same applies to nodejs or any other language related image. You expect to have multiple tags for an image. Tags for major version, minor version, patch version, even underlaying os (debian9, debian10) if it is needed. But the goals is having a way to filter a kind of image and being able to look for previous versions related to distroless image, not the specific base image used to build the distroless. Again, specific underalying is not important unless there are more than one version like debian9 and debian10. The same way it is not important to know at this level if curl is version X or Y. This will allow any user and even dependabot/renovatebot (I think) to identify previous images, or stick to minor, patch versions when its necessary. I don't know if this has any affect on SHA pinning. I guest it does, but I don't know how. |
|
It not an unreasonable request. We're currently doing a bunch of work to restructure the build here. This can only happen after that is done. |
|
Ok. let us know if we can do anything to help on that. |
|
@loosebazooka I fully support being able to version pin images. Makes it easier for humans to understand what updates Dependabot suggest. |
|
Related to this, I have problem: |
|
Most of the discussion above is about distroless base (debian) images, but like @jkytomak I am interested in distroless NodeJS images, and I expected Node's minor and patch version tags to also be present in the distroless image registry. We have been "broken" by changes released in NodeJS minor version upgrades on more than one occasion, and so we only want to apply patch upgrades automatically. Some additional tagging should also assist tools like renovate, where users who are using image hashes can configure their allowed renovate updates using semver specifiers. |
|
Same problem using gcr.io/distroless/nodejs20-debian12:latest.
(we tried gcloud but was not helpful) |
|
yeah, no doubt these are valid concerns, we just haven't gotten to it yet. |
I am a bit confused about the version tagging scheme for distroless images. My current understanding is that the tags (e.g. base-debian10) are updated each time a new version is published. This seems to indicate that version pinning is not possible. Are there other tags (e.g. git commit-id) that can be used to pin?
Maybe I've missed something, but it would be very helpful to be able to specify which version of a distroless tag (e.g. base-debian10-20210220 instead of base-debian10) is used to build.
If pinning is not possible, what is the recommended best-practice for upgrading distroless images? Should we be taking a snapshot, copying it to our own registry, retagging it and using that? Or is the idea that new versions of distroless tags are automatically rolled out to your images the next time they are built (this seems dangerous!)?
The text was updated successfully, but these errors were encountered: