Closed sdaschner closed 5 years ago
NottyCode
commented
6 years ago Hi,
Sorry for not responding sooner, I didn't spot this when you raised it. We didn't do this because from an API perspective the images are compatible. However since you have we are looking into the implications of doing this. We need some information from the docker team to understand how official images work and are contacting them to clarify a few points before making a decision.
shoeper
commented
5 years ago Be careful when doing this, please. Most of the projects have it and their users do use vulnerable software for years.
E.g. open-liberty:17.0.0.4 as an immutable tag would not be a good idea in my opinion. Why? Because in case ibmjava:8-jre is updated to fix a vulnerability, open-liberty:17.0.0.4 also must be updated, otherwise it'll still be vulnerable. Most of the docker images / docker image maintainers do not take care of it and the images are vulnerable without people noticing it.
If one wants an immutable image it is possible to pull the image using a sha256 checksum.
arthurdm
commented
5 years ago My 2cents on this: let's keep Open Liberty always updated with the latest binaries and not introduce versioned tags. As @NottyCode mentioned the APIs are always compatible - i.e. there won't be breaking changes for your app, and as @shoeper mentioned the sha256 approach is available if someone wants to "freeze" their version.
For reference, here's how you find the sha256 address of the image:
docker images --digests | grep open-libertyThe 3rd column is the sha256 code, for example sha256:cfb082f5ec2acdd0ddd1bda4b6ed7e1795da5e4d7a5946cb9c9ccb9d3d784fe2.
So then you can change your application Dockerfile to have this:
FROM open-liberty@sha256:cfb082f5ec2acdd0ddd1bda4b6ed7e1795da5e4d7a5946cb9c9ccb9d3d784fe2From a commercial side, the WebSphere Liberty images have versioned tags.
arthurdm
commented
5 years ago Closing this, as we have added versions to OL images a few months ago. =)
Hi there,
The tags which the official
open-libertyimage currently uses are not fixed (i.e. immutable), that is, for example,open-liberty:javaee7may refer to different images over time.While it makes sense for generic tag names such as
javaee7that image contents change, it'd be very helpful (if not necessary) to additionally provide fixed tags, that won't be overridden by a future image, such asopen-liberty:17.0.0.4,open-liberty:2018-01-30_-0151, or,open-liberty:6b4d57d. It's totally valid that the currentjavaee7tag also points to the6b4d57dimage. But, without fixed versions repeatable builds are almost impossible -- then developers have to package their own OpenLiberty base image.