search

wolfi-dev / os

Main package repository for production Wolfi images
Other
745 stars 188 forks source link

How to use renovate on DockerFile which users chainguard images as base image #21560

Open mahadevan-karthi-dwp opened 4 weeks ago

mahadevan-karthi-dwp commented 4 weeks ago

Hi, I have a Dockerfile in which I use chainguard image as base like 

FROM cgr.dev/chainguard/python:latest
ENV PY3_YAML_VERSION="6.0.1-r2"

Prior to using chainguard, I had my renovate config as follows. 

FROM python:3.12-alpine3.18
# renovate: datasource=repology depName=alpine_3_18/py3-yaml versioning=loose
ENV PY3_YAML_VERSION="6.0-r3"

How do one update the apk packages of chain guard images when they are used in a docker file ? I know its not directly related to chainguard, however want to know if any such situations you have faced with customers who first want to use the base image and use complete wolfi way of melange and apko.

MindTooth commented 3 weeks ago

With e.g. Alpine, you can use Repology to get the latest updates. But, Wolfi/apko is not properly setup for being acting as a repo and you won't have a source to pull versions. Remember that Alpine != Wolfi and the version will not always be similar.

I'm pondering this myself, but I have yet to find a good solution.

mahadevan-karthi-dwp commented 3 weeks ago

thanks, we heavily use repology ( infact want to move away from it ) , with current alpine based images and it all works well.

Also equally wanted to use wolfi(chainguard) GA images and replace alpine base/

but, if we do not have way to auto update packages, then we may not look at chainguard images.

MindTooth commented 3 weeks ago

I’m honestly not sure. My understanding is that if you don’t pay, you won’t have access to tagged images from the pre-built ones.

When it comes to rolling your own wolfi and installing specific versions, I think that there is no automatic way with Renovate. You are better off using Alpine for now.

Here is more information on the issue with Repology: https://github.com/repology/repology-updater/issues/1339 - Ed1t: seems that changes are coming which might facilitate it. Nice!

MindTooth commented 3 weeks ago

I guess you perhaps can use upstream versions and have a pipeline that tries to build an image. It will probably fail at first as the package is not upgraded in Wolfi, but at least you can try to rerun in a couple of days and it should work.

Very hacky, but at least you can use Wolfi. And if packages don't get updated, maybe you can help out to find out why. 😊