backup-container icon indicating copy to clipboard operation
backup-container copied to clipboard
verified publisher icon BCDevOps

Maintain release images

Open WadeBarnes opened this issue 1 year ago • 6 comments

When a release is created images are built and published to Docker Hub for that release. The images are not maintained following their release, meaning they are not rebuilt periodically to pick up updates (such as vulnerability fixes) made to the base container.

Create a scheduled maintenance job that maintains the last x (3 or 4) release images by rebuilding and republishing. The job should trigger at least once a month. This will help reduce the number of teams building and maintaining their own images.

Bonus points for:

  • Making the job(s) smart enough to know whether the base image has changed and only build the related images if the base image has changed since the last build.
  • Triggering the job(s) when there is a change to the related base image.

Other decisions that should be considered:

  • [ ] Should we continue publishing to Docker Hub?
  • [ ] Should we publish to the GHCR as well or instead of to Docker Hub?

WadeBarnes avatar Sep 11 '24 19:09 WadeBarnes

cc @i5okie, @esune

WadeBarnes avatar Sep 11 '24 19:09 WadeBarnes

vote for ghcr.io, and ref through artifactory

mishraomp avatar Sep 11 '24 19:09 mishraomp

I would also be happy to discuss creating a service account with write access to the bcgov-docker-local repo in Artifactory where you can push backup-container images.

caggles avatar Sep 11 '24 19:09 caggles

vote for ghcr.io, and ref through artifactory

+1 for ghcr.io + artifactory.

sheaphillips avatar Sep 12 '24 21:09 sheaphillips

+1 For having the container image artifacts pushed to ghcr.io would be ideal, similar to what already exists on the hub.docker.io side. If we do swap over to ghcr.io, we do not necessarily need to continue having it be mirrored to dockerhub any longer, unless having it there makes it easier to mirror to artifactory. As long as the tagging for these image artifacts follows standard semver conventions it'll provide a huge value for downstream change management.

jujaga avatar Sep 13 '24 16:09 jujaga

+1 For having the container image artifacts pushed to ghcr.io would be ideal, similar to what already exists on the hub.docker.io side. If we do swap over to ghcr.io, we do not necessarily need to continue having it be mirrored to dockerhub any longer, unless having it there makes it easier to mirror to artifactory. As long as the tagging for these image artifacts follows standard semver conventions it'll provide a huge value for downstream change management.

+1 for semver tag release,

mishraomp avatar Sep 13 '24 22:09 mishraomp