Consider digest pinning for more build stability #67
Labels
No Label
abra
abra-gandi
awaiting-feedback
backups
bug
build
ci/cd
community organising
contributing
coopcloud.tech
democracy
design
documentation
duplicate
enhancement
finance
funding
good first issue
help wanted
installer
kadabra
performance
proposal
question
recipes.coopcloud.tech
security
test
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: coop-cloud/organising#67
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
We could be doing something like this in the
compose.yml
files:node:14.15.1@sha256:d938c1761e3afbae9242848ffbb95b9cc1cb0a24d889f8bd955204d347a7266e
where you pin directly to a digest that you expect. This would stop whacky stuff happening later on if upstream decides to cheekily overwrite the tag.Down for this.
Do we know what exactly would happen if we did this, in those situations "if upstream decides to cheekily overwrite the tag"?
Would the deploy just fail (and would we want to / be able to show a more helpful error than Docker?), or will it still grab the old tagged image from Docker Hub?
I think it would just error out with "I can't find that tag with that hash" and then yeah, as you say, I think we'd need to provide some explanation after that. We could of coures have a
--force
logic here to override. This seems a bit tricky to manage to set up, we'd probably have to publish our own test image and then overwrite it? For now, we could just do the pinning and figure out the rest later.Note: coop-cloud/abra#105 (comment)
Should we stick with
-${DIGEST}
or do this pinning or what is best?We want to reduce recipe config churn, fit in with what
abra
wants and use the simplest solution.Before coop-cloud/abra#105 we had:
After, we have:
How do we guarantee that an update is what it says it is?
When we run
abra catalogue generate
, we store something like:So here we store the digests. We can add a check there to this generation to ensure that the digest are always the same. And when we deploy something, we can make sure to do a comparison.
So, no recipe config changes + simpler label setup, I think!
This seems good, I guess to make things as Easy™ as the previous workflow we want some kind of helper to look up the hash so we don't need to find it manually?
New growing consensus in coop-cloud/recipes-catalogue-json#4 (comment) /cc @3wordchant I think we should 1) remove the digest generation from
abra
(see #379) and document how to pin specific images in the recipe config. Needs some more research tho.decentral1se referenced this issue from coop-cloud/recipes-catalogue-json2023-01-18 10:51:06 +00:00