Archived
15
23
Fork
You've already forked meta
6

Build infrastructure / container base images / image policy #60

Closed
opened 2022年12月06日 21:07:44 +01:00 by gapodo · 9 comments
Contributor
Copy link

I'm opening it here, since this spans multiple concerns and does not propperly fit the existing repos.

Intro / Overview

Thinking and deciding on a structure in which we maintain our container base images, helper images for pipelines, etc.

Quick note: I'm using OCI image and image instead of docker image as that's the vendor agnostic specification (an actual specification), which is also "guaranteed" portable to podman, crio, containerd and a lot of other container platforms (some based on containerd or crio, as well as others).

Goal

What I am trying to achive is a good compromise of reproducability (somewhat linked to #29), security, reliability and ease of maintenance, that is agreed upon, documented and will hopefully be followed.

Status quo

We are using OCI images in multiple places

  • in our build pipelines
  • as base for our OCI image releases

these Images are currently a mixture of

  • directly pulled from docker.io
  • built by us
    • from scratch
    • based on other images which are than again
      • built by us
      • taken from docker.io (and potentially other sources)

The images built by us, with exception of the automated release builds, are currently built by hand.

There is no procedure / task / schedule for mainenance on these images.

In pipelines we run a lot of "preparation" installs on our base images, which could just be maintained within a image we can than utilise.

We do not have fallback options if the image repo screws up layers (a bug sadly happening on Codeberg curtesy of Gitea and if we don't fix it downstream in the future forgejo).

Potential solutions / ideas

Organisational:

  • Collect a team of people willing to help maintain and improve these images.
  • Setup policies on how we handle version upgrades, tagging, security updates, etc. for these images.
  • Define a policy on how we inform / update forgejo pipeline images and images used for our releases (images are defined in the forgejo/forgejo repo).
  • Setup policies for retention / removal of images (think storage consumption as well as unfixed security issues).

Mixed:

  • Add a new repo to forgejo (or create a organisation), with the concern of our base and infrastructure images, which contains the definitions (currently Dockerfiles) and pipelines used to generate them. (I am assuming we want to seperate it from the IaC repo)

Technical:

  • Setup automation for at least building the images on change / manual trigger.
  • Setup image scanning at least on build, to check for already known security issues.
  • Potentially store exports of upstream images critical to our operation as export (in another repo, in releases or something) xgo comes to my mind as one of the most "irreplacable" ones (at least quickly)

Input welcome!

If you have any ideas (or opinions, I actually like those to), please share them.
Maintaining images, setting policies and keeping up with security is a wide field... and in some parts even big corporations can't keep up.

I'm opening it here, since this spans multiple concerns and does not propperly fit the existing repos. ## Intro / Overview Thinking and deciding on a structure in which we maintain our container base images, helper images for pipelines, etc. Quick note: I'm using *OCI image* and *image* instead of *docker image* as that's the vendor agnostic specification (an actual specification), which is also "guaranteed" portable to podman, crio, containerd and a lot of other container platforms (some based on containerd or crio, as well as others). ## Goal What I am trying to achive is a good compromise of reproducability (somewhat linked to #29), security, reliability and ease of maintenance, that is agreed upon, documented and will hopefully be followed. ## Status quo We are using OCI images in multiple places * in our build pipelines * as base for our OCI image releases these Images are currently a mixture of * directly pulled from docker.io * built by us * from scratch * based on other images which are than again * built by us * taken from docker.io (and potentially other sources) The images built by us, with exception of the automated release builds, are currently built by hand. There is no procedure / task / schedule for mainenance on these images. In pipelines we run a lot of "preparation" installs on our base images, which could just be maintained within a image we can than utilise. We do not have fallback options if the image repo screws up layers (a bug sadly happening on Codeberg curtesy of Gitea and if we don't fix it downstream in the future forgejo). ## Potential solutions / ideas ### Organisational: - [ ] Collect a team of people willing to help maintain and improve these images. - [ ] Setup policies on how we handle version upgrades, tagging, security updates, etc. for these images. - [ ] Define a policy on how we inform / update forgejo pipeline images and images used for our releases (images are defined in the forgejo/forgejo repo). - [ ] Setup policies for retention / removal of images (think storage consumption as well as unfixed security issues). ### Mixed: - [ ] Add a new repo to forgejo (or create a organisation), with the concern of our base and infrastructure images, which contains the definitions (currently Dockerfiles) and pipelines used to generate them. (I am assuming we want to seperate it from the IaC repo) ### Technical: - [ ] Setup automation for at least building the images on change / manual trigger. - [ ] Setup image scanning at least on build, to check for already known security issues. - [ ] Potentially store exports of upstream images critical to our operation as export (in another repo, in releases or something) xgo comes to my mind as one of the most "irreplacable" ones (at least quickly) ## Input welcome! If you have any ideas (or opinions, I actually like those to), please share them. Maintaining images, setting policies and keeping up with security is a wide field... and in some parts even big corporations can't keep up.
Author
Contributor
Copy link

Forgot to add that this is also related to #58

Forgot to add that this is also related to #58

I think this all makes perfect sense and is essential to the long term maintenance and sanity of the CI/CD pipelines. Otherwise there is accumulated technical debt and undocumented builds that may or may not be reproducible all over the place.

I think this all makes perfect sense and is essential to the long term maintenance and sanity of the CI/CD pipelines. Otherwise there is accumulated technical debt and undocumented builds that may or may not be reproducible all over the place.
Contributor
Copy link

For reference regarding Docker security:

https://snyk.io/learn/docker-security-scanning/

For reference regarding Docker security: https://snyk.io/learn/docker-security-scanning/
Author
Contributor
Copy link

For reference regarding Docker security:

https://snyk.io/learn/docker-security-scanning/

Thanks, I was thinking of snyk, and/or clair as potential contenders (just from memory), we may want to look into this once we have the basics setup!

> For reference regarding Docker security: > > https://snyk.io/learn/docker-security-scanning/ Thanks, I was thinking of snyk, and/or clair as potential contenders (just from memory), we may want to look into this once we have the basics setup!

On the topic of version tagging, copy/pasting from an issue:

Container images are published at https://codeberg.org/forgejo/-/packages/container/forgejo/versions for stable versions. The "latest" version should point to the most recent stable version so that people can use it and expect upgrades to happen without requiring manual operation.

However this does not work for Forgejo because every major release is expected to require some kind of manual intervention and carefully reading the release notes before an upgrade is done.

For this reason tags such as v1.18 are set for every release and matches the latest point release v1.18.0-0, then v1.18.0-1 etc. The point releases can be upgraded without manual intervention (there has been exceptions with the first v1.16 point releases in Gitea but Forgejo can be careful to avoid that kind of predictible breakage).

On the topic of version tagging, copy/pasting from [an issue](https://codeberg.org/forgejo/forgejo/issues/73): Container images are published at https://codeberg.org/forgejo/-/packages/container/forgejo/versions for stable versions. The "latest" version should point to the most recent stable version so that people can use it and expect upgrades to happen without requiring manual operation. However this does not work for Forgejo because **every major release is expected to require some kind of manual intervention** and carefully reading the release notes before an upgrade is done. For this reason tags such as **v1.18** are set for every release and matches the latest point release **v1.18.0-0**, then **v1.18.0-1** etc. The point releases can be upgraded without manual intervention (there has been exceptions with the first **v1.16** point releases in Gitea but Forgejo can be careful to avoid that kind of predictible breakage).
Author
Contributor
Copy link

I'd tend to upload a "dummy" image (echo "pleas use a tagged version" and exit 1 or similar) to latest, which just fails, as the whining is going to be huge when we do a major version jump and things just break on their own, because the users system auto pulls latest...

We may choose to release a "dev" container, that is the latest build of what ever is merged (for testing, similar to woodpecker-ci|s next tag), but I'd not make containers people use in prod just break (and latest would run exactly that risk).

I'd tend to upload a "dummy" image (echo "pleas use a tagged version" and exit 1 or similar) to latest, which just fails, as the whining is going to be huge when we do a major version jump and things just break on their own, because the users system auto pulls latest... We may choose to release a "dev" container, that is the latest build of what ever is merged (for testing, similar to woodpecker-ci|s next tag), but I'd not make containers people use in prod just break (and latest would run exactly that risk).
Member
Copy link

However this does not work for Forgejo because every major release is expected to require some kind of manual intervention and carefully reading the release notes before an upgrade is done.

  • Could you clarify what you mean by "major release"? Are we talking eg v1.18.0 (which I would call a "minor" release, though we don't use semver) or a potential v2.0.0?

  • Is the problem here (automatic upgrades to major releases) because we don't use semver, or does Docker not respect semver anyway?
    In the latter case, presumably automatic breakage is normal in the Docker ecosystem if automatic updates are enabled - how do other projects handle this?

> However this does not work for Forgejo because every major release is expected to require some kind of manual intervention and carefully reading the release notes before an upgrade is done. - Could you clarify what you mean by "major release"? Are we talking eg `v1.18.0` (which I would call a "minor" release, though we don't use semver) or a potential `v2.0.0`? - Is the problem here (automatic upgrades to major releases) because we don't use semver, or does Docker not respect semver anyway? In the latter case, presumably automatic breakage is normal in the Docker ecosystem if automatic updates are enabled - how do other projects handle this?

Could you clarify what you mean by "major release"? Are we talking eg v1.18.0 (which I would call a "minor" release, though we don't use semver) or a potential v2.0.0?

I should have written release instead of major release to avoid confusion. I meant v1.16 => v1.17 => v1.18 etc.

Is the problem here (automatic upgrades to major releases) because we don't use semver, or does Docker not respect semver anyway?

The need for manual intervention is not specific to container images, it is because each Gitea release requires some kind of manual intervention. At the very minimum stopping the server, performing a full backup, upgrading, restarting and carefully verifying everything still works.

> Could you clarify what you mean by "major release"? Are we talking eg v1.18.0 (which I would call a "minor" release, though we don't use semver) or a potential v2.0.0? I should have written **release** instead of **major release** to avoid confusion. I meant v1.16 => v1.17 => v1.18 etc. > Is the problem here (automatic upgrades to major releases) because we don't use semver, or does Docker not respect semver anyway? The need for manual intervention is not specific to container images, it is because each Gitea release requires some kind of manual intervention. At the very minimum stopping the server, performing a full backup, upgrading, restarting and carefully verifying everything still works.

In the past week the release process underwent major changes and there seems to be a consensus that it is now both more secure and more robust than it ever was.

In addition the SemVer discussion branched to its own issue at forgejo/forgejo#207

Reason why I think this issue can be closed. If you feel differently, please re-open: no need to explain, just do that.

In the past week the release process underwent major changes and there seems to be a consensus that it is now both more secure and more robust than it ever was. In addition the SemVer discussion branched to its own issue at https://codeberg.org/forgejo/forgejo/issues/207 Reason why I think this issue can be closed. If you feel differently, please re-open: no need to explain, just do that.
Commenting is not possible because the repository is archived.
No Branch/Tag specified
readme
No results found.
Labels
Clear labels
[Decision] Building proposal(s)
We're in a decision-making process, buiding one or more proposals to address the shared aim based on the criteria
[Decision] Gathering criteria
We're in a decision-making process, gathering criteria, considerations and needs
[Decision] Integrating concerns
We're in a decision-making process, working with a proposal, trying to integrate concerns and create modifications/support such that the proposal works for everyone
Accessibility
Relates to Accessibility (a11y) of product, project and process.
Agreement proposal
Forgejo agreement proposal, following a discussion
Communication
Relates to all channels, social media, website, blog posts.
Election
Process of appointing a person into a role or team (if choosing people just for a specific one-time task, use the Entrustment label)
Entrustment
Process of choosing/approving specific people to do a critical/high-impact one-time task (if choosing people for an ongoing role/team, use the Election label)
Governance
Relates to processes, procedures and decision-making.
Meeting
An upcoming team meeting
User research - Accessibility
Requires input about accessibility features, likely involves user testing.
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.
User research - Errors
How to deal with errors in the application and write helpful error messages.
User research - Filters
How filter and search is being worked with.
User research - Future backlog
The issue might be inspiring for future design work.
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc
User research - Labels
Active research about Labels
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research
User research - Needs input
Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard
Research on how users should know what to do next.
User research - Rendering
Text rendering, markup languages etc
User research - Repo creation
Active research about the New Repo dialog.
User research - Repo units
The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)
How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/meta#60
Reference in a new issue
forgejo/meta
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?