dev variants for base images

[dlorenc]

We should include -debug variants for our base images (static, cc, glibc-dynamic) etc. These would be the same as normal but then have a shell!

[amouat]

The PHP image has latest-dev, which is pretty much the same thing. We could also add something similar to the Python, Ruby and JRE images. See https://github.com/chainguard-images/images/tree/main/images/php

We should agree on debug vs dev wording. I'd currently lean towards dev I think.

[charlieegan3]

Hi, just a drive by comment to mention that the OPA project would like to make use of this for the cgr.dev/chainguard/cc-dynamic image. We've updated our other images to use this as the base (https://github.com/open-policy-agent/opa/pull/5540) however we still have a -debug image with a shell (currently based on gcr.io/distroless/cc-debian11:debug).

We'd like to move to a debug image which doesn't contain OpenSSL.

[patflynn]

any objections to using 'dev' since we've already started down that road?

[charlieegan3]

(Not from us!)

[charlieegan3]

Hi all, any update on this one?

[amouat]

Working on it as we speak, don't have a timeline yet. I want to standardise all tags at the same time.

[charlieegan3]

Thanks for the update @amouat and for your work on this, keep us posted!

[amouat]

We've now published a best practice guide, which includes creating "dev" variants. The next step is to apply the practices to all of our images. https://github.com/chainguard-images/images/blob/main/BEST_PRACTICES.md

[charlieegan3]

That sounds ideal 👍 thanks for sharing!

[patflynn]

We're going to try and auto-generate debug variants once the apko versions of 'build options' is available. https://github.com/chainguard-dev/melange/pull/297

[patflynn]

couple of notes about what the overrides should be:

add deps:

• wolfi-base (busybox, apktools)

set user: root (this is probably worth discussing)

[patflynn]

This PR , should enable us to generate dev variants for our images.

[charlieegan3]

Thanks for the updates Patrick! This is looking great so far 🙂

[jdolitsky]

So we now have this file which defines a dev variant to apply wherever we want to: https://github.com/chainguard-images/images/blob/main/globals.yaml

My remaining questions are:

• What are the correct packages to be brought in for dev variants? Currently its apk-tools+bash+busybox, but should it be just wolfi-base?
• Do we still want to set user to root?
• Which images should have a dev variant? All of them?

@patflynn

[patflynn]

@amouat @kaniini FYI

I believe that yes it should just be wolfi-base and then a mechanism for customization for specific images (like python-dev including pip)

[patflynn]

I'm not sure about including a dev for all images but maybe yes? @amouat thoughts?

[patflynn]

and yes to user root for dev variants. @amouat again to confirm.

[jdolitsky]

marking as done for now.

if we need to modify the global dev options (root user, etc.) its a simple change. or if we need to add a dev variant to another image, simple change

[charlieegan3]

Hey, would it be better to open another issue for the adding of a dev variant for the cgr.dev/chainguard/cc-dynamic image?

[jdolitsky]

@charlieegan3 - sorry we didnt get that one before. Patrick just added it in #367. Try this image:

cgr.dev/chainguard/cc-dynamic:latest-dev

If there are any issues with using it, or require another dev variant, please open another issue. Thank you!

[charlieegan3]

Amazing, thanks! 😊

[charlieegan3]

Just realised that we also need a -dev variant for static but I can open a PR for that 😊

[charlieegan3]

https://github.com/chainguard-images/images/pull/368