search

open-horizon / exchange-api

Horizon Exchange REST API Server
Apache License 2.0
11 stars 30 forks source link

Base docker image for openhorizon/amd64_exchange-api is nondeterministic #652

Open johnwalicki opened 1 year ago

johnwalicki commented 1 year ago

The registry.access.redhat.com/ubi9-minimal:latest will vary over time as :latest changes every few weeks/months. Red Hat releases these ubi images on their schedule. This does not allow us to build and rebuild the Open Horizon exchange container with reliable results. That is especially important if we want to fork a branch for LTS or commercial product reasons.

https://github.com/open-horizon/exchange-api/blob/f7f010c4d1e201f9dde9f190518962a4e3284d0d/build.sbt#L108

I propose we pin the Docker base image registry.access.redhat.com/ubi9-minimal:latest to a specific version. Then, the Open Horizon team can make an overt decision when, and if, the base image is built on a particular version. We can submit a PR to rebase and test on our release schedules.

As of 11/07/2022, the current ubi9-minimal version is 9.0.0-1687

naphelps commented 1 year ago

@johnwalicki I agree that using a specific version tag can be useful for branched releases of the Exchange, I am not sure this is beneficial as the default or for master. The Sbt setting in question can be overwritten at anytime during build-time. This allows any parties' devops team to synchronize and make an overt decision on what base image the Exchange uses for its container, regardless of where the source was pulled/forked from in the repository.

johnwalicki commented 1 year ago

ubi9.1 image is now available.

registry.access.redhat.com/ubi9-minimal:9.1.0-1656

johnwalicki commented 1 year ago

I still think pinning the exchange to specific UBI releases is a good idea so that we can be deterministic about the builds. It answers the SBOM question definitively.

bencourliss commented 1 year ago

@johnwalicki I would highly suggest not doing this as it means we do not pull in the latest security fixes during the build process. You can determine the version of the UBI base image used in a given Exchange-API container image by using skopeo inspect and looking at the url label which should show the actual version.

$ skopeo inspect docker://openhorizon/amd64_exchange-api:testing
{
    "Name": "docker.io/openhorizon/amd64_exchange-api",
    "Digest": "sha256:db0d9e1cfd5b253c0e5e58b1bb445c7bb8003ba2d8dbbeb7dcb65e0d340e54e6",
...
    "Created": "2023-06-15T03:14:46.355993605Z",
    "DockerVersion": "",
    "Labels": {
        "architecture": "x86_64",
        "build-date": "2023-05-03T08:55:50",
        "com.redhat.component": "ubi9-minimal-container",
...
        "name": "amd64_exchange-api",
        "release": "2.114.0",
        "summary": "Open Horizon exchange-api image",
        "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi9-minimal/images/9.2-484",
        "vendor": "Open Horizon",
        "version": "2.114.0"
    },
    "Architecture": "amd64",
    "Os": "linux",
...