get-bridge / docker-base-images Goto Github PK

I believe due to the parallel nature of our build that it's quite easy to encounter 429 Too Many Requests type of errors if multiple builds all push simultaneously. The error looks like:

time="2023-04-20T14:38:37Z" level=debug msg="fetch response received" digest="sha256:702cb5449b90e2a8266de4e8657555f853562299a86db791914c8c4ff546bccd" mediatype=application/vnd.oci.image.index.v1+json response.header.content-length=66 response.header.content-type="application/json; charset=utf-8" response.header.date="Thu, 20 Apr 2023 14:38:37 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.sizes=1609.000000 response.status="429 Too Many Requests" size=1609 spanID=b6092497712d9853 traceID=cbc430f25bc270ed87775f5873240a87 url="https://127178877223.dkr.ecr.us-east-2.amazonaws.com/v2/get-bridge/node/manifests/16-slim"

One solution is to cap the parallelization in the workflow.

• Update github workflow to only push images when code is merged to the "main" branch.(this can be done with some simple if: github.ref == 'refs/heads/main')

Need to modify the build so that (at least on the main branch) the clojure image is able to be built with the java image it depends on. Currently it is built with whatever is available in the registry, which could have changed in the same branch.

We need a way to publish branch tagged images to use in CI.

Currently, if we change an image that another image depends on, the downstream image pulls from the canonical upstream source. This could lead to issues when developing dependent images.

Right now, because core image changes are immediately reflected in all downstream images there's no way to prevent a situation where a tag like -jammy is actually a lunar core image. I think we can repurpose a rake task to generate every tag and then use that to created a build where each image is checked against a known list of core images to ensure a downstream image isn't accidentally upgraded and labelled incorrectly.

Maybe we can repurpose the manifest to be exhaustive check against all tags ever pushed to ECR? That might be paranoid, but it would give a safety net for long term maintenance.

The reason for this issue is that I'm currently unravelling this exact situation manually.

There's a bunch of warning about apt not having a stable API so we should instead use apt-get.

Per the best practices doc, it is recommend we avoid using sudo inside containers:

Avoid installing or using sudo as it has unpredictable TTY and signal-forwarding behavior that can cause problems. If you absolutely need functionality similar to sudo, such as initializing the daemon as root but running it as non-root, consider using “gosu”.

I'm unable to see any obvious hard constraint on requiring sudo in these images so I'm also inclined to remove it.

This will help visibility of available versions on GitHub as well as potentially give a speed boost to CI since their servers are expected to have faster transfer speeds than pulling from AWS ECR.

  proxy | 2023/04/12 18:29:49 [026] GET https://127178877223.dkr.ecr.us-east-2.amazonaws.com:443/v2/get-bridge/java/tags/list
  proxy | 2023/04/12 18:29:49 [026] * authenticating docker ecr request (host: 127178877223.dkr.ecr.us-east-2.amazonaws.com)
  proxy | 2023/04/12 18:29:49 [026] 403 https://127178877223.dkr.ecr.us-east-2.amazonaws.com:443/v2/get-bridge/java/tags/list
updater | 2023/04/12 18:29:49 INFO <job_644081773> Handled error whilst updating get-bridge/java: private_source_authentication_failure {:source=>"127178877223.dkr.ecr.us-east-2.amazonaws.com"}
updater | 2023/04/12 18:29:49 INFO <job_644081773> Finished job processing
updater | 2023/04/12 18:29:49 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------------------------------------------------+
updater | |              Dependencies failed to update              |
updater | +-----------------+---------------------------------------+
updater | | get-bridge/java | private_source_authentication_failure |
updater | +-----------------+---------------------------------------+

ref: https://github.com/get-bridge/docker-base-images/network/updates/644081773

https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Implement a workflow that fails the build if templates are modified but corresponding rake tasks have not generated the artifacts.

This is already present in the Dockerfile, we should add it to the bake files as well.