Closed sdaschner closed 5 years ago
Hi,
Sorry for not responding sooner, I didn't spot this when you raised it. We didn't do this because from an API perspective the images are compatible. However since you have we are looking into the implications of doing this. We need some information from the docker team to understand how official images work and are contacting them to clarify a few points before making a decision.
Be careful when doing this, please. Most of the projects have it and their users do use vulnerable software for years.
E.g. open-liberty:17.0.0.4 as an immutable tag would not be a good idea in my opinion. Why? Because in case ibmjava:8-jre is updated to fix a vulnerability, open-liberty:17.0.0.4 also must be updated, otherwise it'll still be vulnerable. Most of the docker images / docker image maintainers do not take care of it and the images are vulnerable without people noticing it.
If one wants an immutable image it is possible to pull the image using a sha256 checksum.
My 2cents on this: let's keep Open Liberty always updated with the latest binaries and not introduce versioned tags. As @NottyCode mentioned the APIs are always compatible - i.e. there won't be breaking changes for your app, and as @shoeper mentioned the sha256
approach is available if someone wants to "freeze" their version.
For reference, here's how you find the sha256
address of the image:
docker images --digests | grep open-liberty
The 3rd column is the sha256 code, for example sha256:cfb082f5ec2acdd0ddd1bda4b6ed7e1795da5e4d7a5946cb9c9ccb9d3d784fe2
.
So then you can change your application Dockerfile to have this:
FROM open-liberty@sha256:cfb082f5ec2acdd0ddd1bda4b6ed7e1795da5e4d7a5946cb9c9ccb9d3d784fe2
From a commercial side, the WebSphere Liberty images have versioned tags.
Closing this, as we have added versions to OL images a few months ago. =)
Hi there,
The tags which the official
open-liberty
image currently uses are not fixed (i.e. immutable), that is, for example,open-liberty:javaee7
may refer to different images over time.While it makes sense for generic tag names such as
javaee7
that image contents change, it'd be very helpful (if not necessary) to additionally provide fixed tags, that won't be overridden by a future image, such asopen-liberty:17.0.0.4
,open-liberty:2018-01-30_-0151
, or,open-liberty:6b4d57d
. It's totally valid that the currentjavaee7
tag also points to the6b4d57d
image. But, without fixed versions repeatable builds are almost impossible -- then developers have to package their own OpenLiberty base image.