search

GLOBALEAKS / globaleaks-whistleblowing-software

GlobaLeaks is free, open-source whistleblowing software enabling anyone to easily set up and maintain a secure reporting platform.
https://www.globaleaks.org
Other
1.23k stars 269 forks source link

docker tag "latest" #4185

Open BeckeBauer opened 1 month ago

BeckeBauer commented 1 month ago

Proposal

So far, I am building the docker image acc. to the documentation under https://github.com/globaleaks/GLOBALEAKS/blob/main/docker/Dockerfile

It means to stop, delete and recreate the image manually after receiving an update notification. For version 5.0.5, I received the update notification on 7 Sept. However, until today (10 Sept), the image building acc. to the documentation produces an image file for v5.0.4.

I double-checked with dockerhub where there is no the v5.0.5 either.

So, I have to check each day for the updated image or simply ignore to update.

With my other images, I can use watchtower which checks every day automatically for a new version. This, however, requires a "latest" tag (afaik) which almost every docker image seems to have.

Motivation and context

Therefore, it would be a great help to add the "latest" tag to the latest docker image. Then, updates can be done automatically for lazy users like me who do not want to check every day whether the latest docker version was made available.

evilaliv3 commented 1 month ago

Thank you @BeckeBauer for this feedback and proposal.

At the moment we have avoided this intentionally to prevent users to run unattended updates, but probably this should not be a concern since for example most of the users, not using docker, can currently run unattended updates on debian and they are running this without any issue.

@rglauco: If i remember correclty you were one specifically against the choice of using a 'latest' tag, would you please annotate here your points if you consider them still valid?

rglauco commented 1 month ago

@evilaliv3 it's a best practice for production deployments and consistent CI/CD (see here for example), and the dockerhub image was created for such environments rather than local development (where it's possible to build the image on the fly). We let handle the correct GL version through tags, using latest tag we may incurr in issues.

evilaliv3 commented 1 month ago

Thank you for your feedback @rglauco . I actually agree on your points.

What do you think @BeckeBauer ?

BeckeBauer commented 1 month ago

I do not understand the best practice recommendation. The only reason given why to avoid a latest tag is:

The ':latest' tag is mutable and can lead to unexpected errors if the image changes

First of all, people who do not want unattended updates, could still use a version tag instead of the latest tag

Secondly, even if people use the latest tag, there is no automatic update without user interference. In docker, one need to additionally programs (like watchtower) in oder to have automatic updates even with a latest tag.

Thirdly, evilaliv3 mentioned:

most of the users, not using docker, can currently run unattended updates on debian and they are running this without any issue.

So, unattended automatic updates are already a reallity for users not using docker. I see no reason why docker user should be treated less favorably simply because they decided not to used debian directly

I really hope that you could change your mind since it would make things easier

evilaliv3 commented 3 weeks ago

Thank you @BeckeBauer for your feedback. We will keep this as a possibility waiting to see other users feedback