Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make images imutable #975

Closed
andreish opened this issue Oct 8, 2024 · 6 comments
Closed

make images imutable #975

andreish opened this issue Oct 8, 2024 · 6 comments

Comments

@andreish
Copy link

andreish commented Oct 8, 2024

Once published an image under a given tag, do not change its content, use new tag for new content.
Make and publish/describe tag rules to support immutability.

I used python:3-alpine3.19 and recent published contend (sha256:bd07a7ea723ee0fa0059e7b995d0ee7d97d6ad96b92a7a94cae3b882da389a36) build now breaks what used to work for me.
@LaurentGoderre
Copy link
Member

Tags are not immutable by design so that they receive security fixes from the base images. For immutability, you need to use the image digest that the tag points to.

@andreish
Copy link
Author

andreish commented Oct 8, 2024
edited
Loading

Thanks.

FYI :
this used to build , now it is broken , maybe you can find why ...

Dockerfile bad today, was good yesterday.

FROM  python:3-alpine3.19

RUN apk add --no-cache bash curl wget python3-dev  alpine-sdk && mkdir -p /srv
WORKDIR /srv
RUN python -m venv .venv
RUN source .venv/bin/activate && pip install pandas==2.2.1

--

Dockerfile good today

FROM alpine:3.19.4

RUN apk add --no-cache bash curl wget python3-dev  alpine-sdk && mkdir -p /srv
WORKDIR /srv
RUN python -m venv .venv
RUN source .venv/bin/activate && pip install pandas==2.2.1

--
does this mean it is python image update broken ?

Is it any way from hub.docker.com to know the history of what sha was pointed to by a given tag ? I.e I want to know what sha was yesterday for python:3-alpine3.19 ?

@andreish
Copy link
Author

andreish commented Oct 8, 2024
edited
Loading

probably it is python version that caused this :
it was
ENV PYTHON_VERSION 3.13.0rc3
and now it is
ENV PYTHON_VERSION 3.13.0

(at least this is here: 7c8595e#diff-92baf5d34140ab68c1204f3d90c1629f298492e03179d7a20916d3febb952f7eL20)

hmm python:3-alpine3.19 used a not final version of python and now it uses a final one, not too intuitive ,I would say.

@andreish andreish mentioned this issue Oct 8, 2024
Closed
@andreish
Copy link
Author

andreish commented Oct 8, 2024

pandas 2.2.3 works ok.

@andreish andreish closed this as completed Oct 8, 2024
@tianon
Copy link
Member

tianon commented Oct 8, 2024

The python:3-alpine3.19 tag is what I affectionately call a "square wheel" -- it's technically a rolling release, of a sort, but when it rolls, it rolls in a very blocky way -- in this case, you got bitten by the GA release of 3.13, so we "rolled" from 3.12 to 3.13. We maintain a variety of tags to help you control this "rolling" behavior (python:3.12-alpine3.19, python:3.12.6-alpine3.19), or as noted previously, if you need a fully "immutable" base image, that's what the content digests are for. 👍

@tianon
Copy link
Member

tianon commented Oct 8, 2024
edited by yosifkit
Loading

Also, to be clear, if Python 3.13.0rc3 was never pushed to a python:3 bare tag, that's a bug. Up until the 3.13 GA release, all "3" tags were pointing at the previous GA, 3.12.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @LaurentGoderre @andreish