Open baronfel opened 2 years ago
Some additional food for thought on forcing a pull.
My company is dealing with some regulatory and security requirements around ensuring our software is patched. Part of this includes ensuring our Docker images are built on images that contain the latest patches.
We've found there are situations where tags like latest
or 6.0
can be interpreted by various caching layers differently, and builds that should be up to date end up with an older cached version. Apparently this is not an easy problem to solve, and most solutions tend to rely on cooperating cache layers. We have hundreds of docker-based services running in production. Fully automating the cycle of ensuring they're all running relatively recent images is mandatory.
Having a way to ensure (I use this word deliberately) the image layers we're getting are the up-to-date ones we expect, possibly by comparing against another MSBuild value, would be beneficial to our workflows.
This seemed like the most relevant issue to raise this in though it's drifting a bit from just cache busting, if there's a better place to write this up let me know 😊
docker build
has a--pull
flag that forces reacquisition of manifests and layers - we should enable this behavior as well. The content store is fine for the default case but sometimes you really need aclean
analogue.My initial thoughts are twofold:
and document both of these.