docker-nginx icon indicating copy to clipboard operation
docker-nginx copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

Feature request - Alpine Linux version in Docker image tag

Open rokf opened this issue 3 years ago • 7 comments

Hi 🙂

We (my team at work) were wondering if the Alpine Linux images could get additional tags where the used Alpine Linux version would be part of the tag? Like 1.21.6-alpine-3.15.4 for example.

We'd appreciate this because it'd be easier to track CVE. Docker image pulling would also be more predictable - we'd know ahead which Alpine Linux version we can expect.

rokf avatar Apr 08 '22 09:04 rokf

Just a note that as part of the official images, the images are rebuilt any time the base image is updated. For example, the images with FROM alpine:3.15 will be rebuilt on every 3.15.x release or any other time the alpine:3.15 image is updated. If the FROM was changed to a specific release of Alpine 3.15, like 3.15.4, then there would be manual work here and then a PR to https://github.com/docker-library/official-images to get an updated image.

I don't mind if the image tags have the Alpine version in them like golang does, but that is up to Nginx maintainers.

yosifkit avatar Apr 08 '22 16:04 yosifkit

Having a major.minor (e.g. nginx:1.21.6-alpine3.15) appended to the aliases is doable, but I'm not too sure it would be helpful in this exact case?

thresheek avatar May 06 '22 08:05 thresheek

That won't be enough 🙂

rokf avatar May 08 '22 13:05 rokf

And I don't think it would be easier to track CVEs either - in any case the security team would need to ask package manager for exact versions of software shipped so they could identify if a patch to fix an issue was applied or not.

thresheek avatar May 09 '22 07:05 thresheek

Just a note that as part of the official images, the images are rebuilt any time the base image is updated. For example, the images with FROM alpine:3.15 will be rebuilt on every 3.15.x release or any other time the alpine:3.15 image is updated.

Maybe I am misunderstanding this, but just recently, alpine 3.16.1 was released. As I understand your message, alpine:3.16 has been updated to alpine:3.16.1 and we should get an updated nginx:1.23.0-alpine automatically, based on the new version? That does not seem to be the case, 1.23.0-alpine is still three weeks old, it seems.

tzimmermann avatar Jul 19 '22 08:07 tzimmermann

hi @tzimmermann - your understanding is correct, and I think the updated images were just (20 minutes ago actually!) pushed to the docker hub.

thresheek avatar Jul 19 '22 09:07 thresheek

👋 I would just like to note my +1 for including major.minor in tags as aliases (so nginx:1.22.0-alpine3.16 would be an alias for nginx:1.22.0-alpine) -- it'd be rather helpful in avoiding accidental updates of Alpine in our images :)

This seems to be a reasonably common thing to do (Node.js, Golang)

MattIPv4 avatar Aug 26 '22 11:08 MattIPv4

Thanks @MattIPv4.

I think it's also beneficial to add a version of Debian used in the tags for the same reason.

thresheek avatar Feb 15 '23 02:02 thresheek

Feel free to comment on the PR that implements major.minor for Alpine tags: https://github.com/nginxinc/docker-nginx/pull/754

thresheek avatar Feb 15 '23 02:02 thresheek

Fixed now with 1.23.4 and 1.22.1 images, see https://hub.docker.com/_/nginx for more details on tags.

thresheek avatar Mar 28 '23 23:03 thresheek