Use --pull flag when building images for releases #1293
Conversation
NimJay
added
the
do not merge
|
🚲 PR staged at http://34.27.45.93 |
|
|
NimJay
removed
the
do not merge
|
|
||
| log "Pushing: ${image}" | ||
| docker push "${image}" | ||
|
|
||
| if [ $svcname != "frontend" ] && [ $svcname != "loadgenerator" ] | ||
| then | ||
| log "Building: ${image}-native-grpc-probes" | ||
| docker build -t "${image}-native-grpc-probes" . --target without-grpc-health-probe-bin | ||
| docker build --pull -t "${image}-native-grpc-probes" . --target without-grpc-health-probe-bin | ||
| log "Pushing: ${image}-native-grpc-probes" | ||
| docker push "${image}-native-grpc-probes" | ||
| fi |
There was a problem hiding this comment.
Context:
- This
hack/make-docker-images.shscript is run whenever we create a new release of Online Boutique. - It builds (and pushes) the images at gcr.io/google-samples/microservices-demo.
|
I'm a little bit confused how that could've happened -- is the implication that the base image tag we're using ( |
Great question, @bourgeoisor! |
@bourgeoisor @NimJay in the future, we may want to use hash instead of tag to avoid this kind of issue. No rush on this, but maybe something for the future :) |
Background
emailservice:v0.4.2still contained the same # of CVEs asemailservice:v0.4.1.emailservice:v0.4.2.emailservice's base Docker images — which my local machine was caching when I initially builtemailservice:v0.4.2.--pullflag is explained here. It makes sure the base Docker image is pulled (not from local cache but from the registry) when wedocker build.Change Summary
--pullflag to ensure that the base Docker images is pulled from the registry (not my local cache) when container images are built.Testing Procedure
v0.4.2.emailserviceon our Google Container Registry, you'll see thatv0.4.2has one less vulnerability thanv0.4.1, which means the base images was pulled (not from cache) when I buildemailserviceon my local machine.