Page MenuHomePhabricator

Apply package updates to wikipedialibrary docker images on an ongoing basis
Closed, ResolvedPublic

Description

While troubleshooting an an issue with our container registries, I discovered that we aren't updating the system-level software in our docker images on an ongoing basis. We manage our app-defined dependencies via dependabot, but we need to create processes for automatically:

  • pulling updated base images from dockerhub where possible
  • applying security updates to software packages installed in our Dockerfiles
  • bonus points for setting up alerts when we have images with unpatched vulnerabilities and for update process failures

You can see our outdated images here
https://quay.io/organization/wikipedialibrary

Event Timeline

update:

  • pulling updated base images from dockerhub where possible

I've created a new repository to manage our base container images with github actions
https://github.com/WikipediaLibrary/wikipedialibrary_container_image_ops
I still need to add docs to it, but basically my approach here is to have github actions that trigger on commit and on a cron schedule.
The image list is now in a flat file
https://github.com/WikipediaLibrary/wikipedialibrary_container_image_ops/blob/master/data/BASE_IMAGES
so that there will be one place to update our image set and then all of the action steps will run against that set.

For example, our matomo image had never been updated, so I added it to the list, and then it was updated in quay.io very shortly afterwards

image.png (959×1 px, 255 KB)

I have already disabled the docker_mirror cron task for TWLight in travis-ci, though I haven't deleted the script there yet. I am waiting to verify that the new repository actions run as scheduled first.
I will also rework the externallinks github action to cease mirroring images too, since they are all covered in the new repo.

I verified that daily actions are mirroring docker.io/library images to quay.io/wikipedialibrary
https://github.com/WikipediaLibrary/wikipedialibrary_container_image_ops/actions

I also deleted dangling image repositories that we were no longer using:
wikipedialibrary/twlight_base
wikipedialibrary/twlight_build

today's update:

I have this working in principal. Images are now also getting package updates applied and then pushed to quay.io with -updated appended to the tag. This seems to mostly not make a difference with our images currently, but then again, we've just gone through and made sure that our docker image updates were coming through as expected. This will mostly be useful if a docker.io parent image becomes unmaintained or if our docker hub pulls stop working again.

I do also need to get updates going for our debian_perl image which we use for static analysis for i18n
https://quay.io/repository/wikipedialibrary/debian_perl

It's kind of a special case, which is why I haven't worried about it yet.

I'll also need to go through and update our Dockerfiles/docker-compose files to use the -updated tags

note: the memcached image used in wikilink is getting skipped for updates because it doesn't use the root user
otherwise, wikilink is up to snuff now

I updated hashtags as well.

Merged https://github.com/WikipediaLibrary/TWLight/pull/1011. If there is nothing more to do, we can move this to the Done column