influxdata-docker icon indicating copy to clipboard operation
influxdata-docker copied to clipboard

Published 20 hours ago verified publisher icon influxdata

Add immutable tags to Docker images

Open brsolomon-deloitte opened this issue 3 years ago • 2 comments

Immutable (static) tags are better for production environments, since they ensure a deployment is not affected if a new revision inadvertently breaks existing functionality.

https://docs.bitnami.com/tutorials/understand-rolling-tags-containers/

brsolomon-deloitte avatar Feb 17 '22 15:02 brsolomon-deloitte

Hi,

If you are asking about the containers hosted on bitnami, those are not produced or controlled by us. We push directly to DockerHub.

On DockerHub, it looks like both Influxdb and Telegraf provide a tag for every minor release.

I would say our minor releases are the closest thing to an immutable tag. When we push updates to DockerHub it is usually tied to a new minor release going out. The only time they would also get updated is if/when a change to the dockefile occurs or a security issue comes up and we want to push that out. In all cases updates to the docker images only happen when we want them to.

Does that help clarify the current state and give you an option?

Thanks

powersj avatar Feb 17 '22 17:02 powersj

I'm not asking about the containers published by Bitnami. I'm pointing to Bitnami's use of immutable tags as a best-practice.

I would say our minor releases are the closest thing to an immutable tag. When we push updates to DockerHub it is usually tied to a new minor release going out. The only time they would also get updated is if/when a change to the dockefile occurs or a security issue comes up and we want to push that out. In all cases updates to the docker images only happen when we want them to.

I realize what case you are making here but respectfully disagree. A patch version of the upstream service can be considered immutable. But you are now wrapping a Docker image around that app/service which does not necessarily need to track the underlying release.

For instance, a revision-2 (1.8.10-r2) of an image may use the same patch version of influxdb as the first revision of that major.minor.patch Docker tag (1.8.10-r1) while patching the version of a dependency or, for instance, fixing a bug in init-influxdb.sh.

So yeah, pinning to a major.minor.patch Docker image tag comes close, but without a revision it doesn't really function as an immutable tag.

brsolomon-deloitte avatar Feb 17 '22 18:02 brsolomon-deloitte