wpt.fyi icon indicating copy to clipboard operation
wpt.fyi copied to clipboard

Published 20 hours ago verified publisher icon web-platform-tests

Pin docker image version for results processor and revisit the base image

Open jcscottiii opened this issue 2 years ago • 0 comments

Part 1

We should pin the python image used for results processor.

https://github.com/web-platform-tests/wpt.fyi/blob/b1296e17801c43991445df58e1026e371763ad2d/results-processor/Dockerfile#L1

https://console.cloud.google.com/gcr/images/google-appengine/GLOBAL/python has the tags

As a result, we are currently always using the latest tag whenever we deploy

The risk of not doing this:

  • We might fall into a situation where a future image that is tagged as "latest" is incompatible with our code and dependencies. Upon deploying the next time, things might break
  • It becomes hard to replicate issues. If production is deployed with latest (SHA x), then when we pull locally, latest may be at SHA y.

Part 2

The latest tag was last updated on oct 2021 as of this writing. There may be some vulnerabilities. Might be advantageous to use a docker base image that is updated more frequently. that way, if there is some major vulnerability, that base image has a record of being upgraded frequently.

jcscottiii avatar Jun 30 '22 17:06 jcscottiii