We have multiple issues regarding metadata from our docker images:
- There was an incident a little while back where we were looking for the source git repo for a container, which turned out to be word of mouth information
- We can't know (without looking at multiple sources) which images are based off of each other which makes dependency tracking hard
- Image build date and time is usually derived from the image label, which is not ideal (as it is not enforced)
- We don't know the base OS which an image is composed (might be part of the tag, else we need to inspect image contents)
The above problems can be addressed by adding annotations/labels to the images during their build process:
https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
This would have to be implemented in:
- build-base-images/build-bare-slim.sh
- docker-pkg
- blubber
Knowing the OS versions of images would also allow us to:
- reliably prune outdated images when they are EOLed (e.g. for T335333)
- exclude EOLed images in the docker-reporter and docker image builds (T335282)
- reliably exclude the handful of Alpine based images we use in docker-reporter (which are currently excluded by a heuristic based on the image name)
- provide the ability to sort based on OS versions on Debmonitor