I'm opening it here, since this spans multiple concerns and does not propperly fit the existing repos.
Intro / Overview
Thinking and deciding on a structure in which we maintain our container base images, helper images for pipelines, etc.
Quick note: I'm using OCI image and image instead of docker image as that's the vendor agnostic specification (an actual specification), which is also "guaranteed" portable to podman, crio, containerd and a lot of other container platforms (some based on containerd or crio, as well as others).
Goal
What I am trying to achive is a good compromise of reproducability (somewhat linked to #29), security, reliability and ease of maintenance, that is agreed upon, documented and will hopefully be followed.
Status quo
We are using OCI images in multiple places
- in our build pipelines
- as base for our OCI image releases
these Images are currently a mixture of
- directly pulled from docker.io
- built by us
- from scratch
- based on other images which are than again
- built by us
- taken from docker.io (and potentially other sources)
The images built by us, with exception of the automated release builds, are currently built by hand.
There is no procedure / task / schedule for mainenance on these images.
In pipelines we run a lot of "preparation" installs on our base images, which could just be maintained within a image we can than utilise.
We do not have fallback options if the image repo screws up layers (a bug sadly happening on Codeberg curtesy of Gitea and if we don't fix it downstream in the future forgejo).
Potential solutions / ideas
Organisational:
- Collect a team of people willing to help maintain and improve these images.
- Setup policies on how we handle version upgrades, tagging, security updates, etc. for these images.
- Define a policy on how we inform / update forgejo pipeline images and images used for our releases (images are defined in the forgejo/forgejo repo).
- Setup policies for retention / removal of images (think storage consumption as well as unfixed security issues).
Mixed:
- Add a new repo to forgejo (or create a organisation), with the concern of our base and infrastructure images, which contains the definitions (currently Dockerfiles) and pipelines used to generate them. (I am assuming we want to seperate it from the IaC repo)
Technical:
- Setup automation for at least building the images on change / manual trigger.
- Setup image scanning at least on build, to check for already known security issues.
- Potentially store exports of upstream images critical to our operation as export (in another repo, in releases or something) xgo comes to my mind as one of the most "irreplacable" ones (at least quickly)
Input welcome!
If you have any ideas (or opinions, I actually like those to), please share them.
Maintaining images, setting policies and keeping up with security is a wide field... and in some parts even big corporations can't keep up.