search

guardicore / monkey

Infection Monkey - An open-source adversary emulation platform
https://www.guardicore.com/infectionmonkey/
GNU General Public License v3.0
6.56k stars 765 forks source link

agent-builder jenkins job is pushing stale container images #3232

Closed mssalvatore closed 1 year ago

mssalvatore commented 1 year ago

Describe the bug

Even though the agent-builder docker image is build monthly, it has not been changed: image

Expected behavior

The jenkins job should push a fresh image to dockerhub

Note

The jenkins script should be committed to the monkey-build repository. Currently, it exists only in the jenkins configuration.

ilija-lazoroski commented 1 year ago

When we use docker build the resulting image may have the same digest every time you build it if the contents of the image layers have not changed. This is because the digest is a cryptographic hash of the image layers, and if the layers have not changed, the digest will remain the same.

Thus we can add a command to stage-1 of the Docker which is somewhat of a build id which will mean that the layers change every time we build the image and push it to DockerHub. Note: This makes the build slower as all the layers needs to be rebuilded

mssalvatore commented 1 year ago

When we use docker build the resulting image may have the same digest every time you build it if the contents of the image layers have not changed.

This is somewhat perplexing. Our layers should change. For example, we run pip install -U pip. A new version of pip was released on 2023-04-24. At the very least, the topmost layer should be different.

@ilija-lazoroski See jenkins output for example: layers

These builds have different digests. digest

ilija-lazoroski commented 1 year ago

Those are build from 3232-agent-builder-script from monkey-build and I already have something that is changing the Dockerfile.

See build no.33 and no.34.