It's unclear when the "rewrite" command should be used in the CI process #86
Replies: 2 comments 5 replies
-
As a random user of docker-lock I agree. Perhaps treating the original docker-recipes/compose-files as lock-files (when it comes to the FROM fields in Dockerfiles, and image fields in docker-compose files), and having developers update versions in the top-level docker-lock owned file (an alternative file to todays docker-lock.json file) would make it easier?
|
Beta Was this translation helpful? Give feedback.
-
@MeLlamoPablo @andoks Sorry for the late reply, I didn't have notifications for discussions turned on :(. Thank you so much for your question! The way I usually use it, is:
I believe that my workflow addresses your concerns of deploying images that are different than what developers use. Now, I could also imagine other workflows that use git commit hooks, if you are not using pipelines. I haven't thought through them as clearly, but if that is of interest to you, I am happy to do so. @andoks I am not sure I 100% understand your reply, but my understanding is that developers should never manually update a Lockfile (whether it is Let me know if that clears it up! I know this reply is a bit late, but if you are still using it/trying it out, happy to help anyway that I can :) |
Beta Was this translation helpful? Give feedback.
-
Hello!
When I first used this tool I was under the impression that I should generate a Lockfile, then rewrite my dockerfiles and then commit it. This isn't ideal, as it makes them less readable and makes updating tedious.
Upon reading the documentation again, I noticed that maybe I had the wrong idea:
So, maybe it should be the CI pipeline the one to run
docker lock rewrite
before building and deploying the images. That solves the two problems mentioned above. However, that means that when developing we're referencing images by tags, and when deploying we're referencing images by digest.It may be possible to deploy an
ubuntu:20.04
based image with a bug or a vulnerability, while developing locally with the updated image thus not realizing the bug. I guess that's a small chance but it's entirely possible.The whole purpose of lockfiles is to facilitate reproducible builds. Shoudn't we be using the exact same images in development and production? One way to achieve that is to
docker lock rewrite
, build the images, and then restore the modifications to the dockerfiles using git. However, that is tedious as well; one would end up writing a wrapper around docker to automate that.Maybe it would be possible to hook into the docker image resolution mechanism? This is pure speculation.
So, to summarize, I would like to understand better what the intended workflow is. Neither situation (commiting the rewrited files or rewriting on CI) seem ideal to me.
Thanks for your help 🙂
Beta Was this translation helpful? Give feedback.
All reactions