Page MenuHomePhabricator

Pipeline: provide a way to rebuild all blubber images
Open, Needs TriagePublic

Description

Currently the CD pipeline rebuilds production images from scratch, not using any layer caching in Docker so rebuilding all production images for issues in base layers should be as simple as re-triggering the pipeline for an image; however, there is no easy way to trigger a rebuild for all images produced by the pipeline.

Ideally there would be a mechanism by which someone could retrigger a build of all images similar to the way docker-pkg is used currently.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 22 2019, 7:11 PM
Joe added a comment.Jan 23 2019, 8:16 AM

The general idea (specified in some ticket I lost track of, to be added later) for long-term support is:

  • when an image is ready to be published (or is published), we register it with debmonitor (see debmonitor.wikimedia.org), which also collects feedback from clair, so that it can know of the presence of an image, and what's installed in it, at which version
  • Debmonitor will then tell us which images (both coming from docker-pkg and blubber) have vulnerable software versions, and also know a tree of dependencies so that it can re-trigger the build for all of them.

Of course nothing like this is implemented at the moment, but we should get to it before the end of the FY hopefully.

For the time being, you can't just trigger a rebuild of your blubber images - I guess they use a specific tag of their base images, and will need to use the updated one.

Joe edited projects, added serviceops-radar; removed serviceops.Jun 24 2019, 3:36 PM