Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optimise image rebuilding #276

Closed
pabzm opened this issue Nov 14, 2024 · 4 comments · Fixed by #281
Closed

Optimise image rebuilding #276

pabzm opened this issue Nov 14, 2024 · 4 comments · Fixed by #281

Comments

@pabzm
Copy link
Member

pabzm commented Nov 14, 2024

Since today our image are rebuilt weekly.

Most of the time this will make sense because the upstream image changed, but sometimes the runner will run in vain. In order to prevent that we could use Renovate to check if the upstream images actually changed.

(Idea originally by @thomascube in #270 (comment))

@waja
Copy link

waja commented Nov 14, 2024

Just pulling new base image might be good. But newly released (security) patches are normally not released to the docker images, until a new minor release of the distribution is released.
Even if it is not recommended at some places, pulling security fixes by kinda apt update && apt -y upgrade pull them before a minor distribution release.

@pabzm
Copy link
Member Author

pabzm commented Nov 14, 2024

The Debian images at the base of our images ancestry are at least updated monthly (the Alpine images only more infrequently), but you're right, we probably should upgrade packages in our build process.

@thomascube
Copy link
Member

Even if it is not recommended at some places, pulling security fixes by kinda apt update && apt -y upgrade pull them before a minor distribution release.

In my opinion it's the job of the base image provider to release updates and security fixes and the consumers (we) can/should rely on this -> separation of concerns.

@pabzm
Copy link
Member Author

pabzm commented Nov 19, 2024

@thomascube I agree, but as long as upstream doesn't do that I would still prefer to have up-to-date images. And as we call them "production-ready" they should be solid – no matter who did what.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants