Open johnwalicki opened 1 year ago
@johnwalicki I agree that using a specific version tag can be useful for branched releases of the Exchange, I am not sure this is beneficial as the default or for master. The Sbt setting in question can be overwritten at anytime during build-time. This allows any parties' devops team to synchronize and make an overt decision on what base image the Exchange uses for its container, regardless of where the source was pulled/forked from in the repository.
ubi9.1 image is now available.
registry.access.redhat.com/ubi9-minimal:9.1.0-1656
I still think pinning the exchange to specific UBI releases is a good idea so that we can be deterministic about the builds. It answers the SBOM question definitively.
@johnwalicki I would highly suggest not doing this as it means we do not pull in the latest security fixes during the build process. You can determine the version of the UBI base image used in a given Exchange-API container image by using skopeo inspect
and looking at the url
label which should show the actual version.
$ skopeo inspect docker://openhorizon/amd64_exchange-api:testing
{
"Name": "docker.io/openhorizon/amd64_exchange-api",
"Digest": "sha256:db0d9e1cfd5b253c0e5e58b1bb445c7bb8003ba2d8dbbeb7dcb65e0d340e54e6",
...
"Created": "2023-06-15T03:14:46.355993605Z",
"DockerVersion": "",
"Labels": {
"architecture": "x86_64",
"build-date": "2023-05-03T08:55:50",
"com.redhat.component": "ubi9-minimal-container",
...
"name": "amd64_exchange-api",
"release": "2.114.0",
"summary": "Open Horizon exchange-api image",
"url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi9-minimal/images/9.2-484",
"vendor": "Open Horizon",
"version": "2.114.0"
},
"Architecture": "amd64",
"Os": "linux",
...
The
registry.access.redhat.com/ubi9-minimal:latest
will vary over time as:latest
changes every few weeks/months. Red Hat releases these ubi images on their schedule. This does not allow us to build and rebuild the Open Horizon exchange container with reliable results. That is especially important if we want to fork a branch for LTS or commercial product reasons.https://github.com/open-horizon/exchange-api/blob/f7f010c4d1e201f9dde9f190518962a4e3284d0d/build.sbt#L108
I propose we pin the Docker base image
registry.access.redhat.com/ubi9-minimal:latest
to a specific version. Then, the Open Horizon team can make an overt decision when, and if, the base image is built on a particular version. We can submit a PR to rebase and test on our release schedules.As of 11/07/2022, the current ubi9-minimal version is
9.0.0-1687