<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">I think we have two topics and improvements here</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">1. images in <a href="https://hub.docker.com/r/kolla/">https://hub.docker.com/r/kolla/</a></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">2. tag in end-user env.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"># images in <a href="http://hub.docker.com">hub.docker.com</a></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">we are building kolla tag image and push them into <a href="http://hub.docker.com">hub.docker.com</a>. After this,</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">we do nothing for these images.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">The issue is</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">1. any security update is not included in these images.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   solution: I do not think use 4.0.0-1 4.0.0-2 in <a href="http://hub.docker.com">hub.docker.com</a> is a good idea.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   if so, we need mark what 4.0.0-1 container and what's the difference with 4.0.0-2.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   This will make another chaos. </div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   And any prod env shouldn't depend on <a href="http://hub.docker.com">hub.docker.com</a>'s images, which is vulnerable </div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   to attack and is mutable. </div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   </div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">2. branch images are not pushed.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   solution: we can add a job to push branch images into <a href="http://hub.docker.com">hub.docker.com</a> like inc0</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   said. For example:</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">       centos-source-nova-api:4.0.0</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">       centos-source-nova-api:ocata</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">       centos-source-nova-api:pike</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">       centos-source-nova-api:master<br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   But branch tag images is not stable ( even its name is stable/ocata ), users are</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   not recommended to use these images </div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"># images in end-user env</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">I recommended end user should build its own image rather then use <a href="http://hub.docker.com">hub.docker.com</a> directly.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">in my env, I build images with following tag rule.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">when using 4.0.0 to build multi time, i use different tag name. For example</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   1st: 4.0.0.1</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   2nd: 4.0.0.2</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   3rd: 4.0.0.3</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">   ...</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">The advantage in this way is: keep each tag as immutable ( never override )</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 18, 2017 at 6:46 AM, Steve Baker <span dir="ltr"><<a href="mailto:sbaker@redhat.com" target="_blank">sbaker@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Tue, Apr 18, 2017 at 9:57 AM, Doug Hellmann <span dir="ltr"><<a href="mailto:doug@doughellmann.com" target="_blank">doug@doughellmann.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Excerpts from Michał Jastrzębski's message of 2017-04-12 15:59:34 -0700:<br>
<span class="m_4179256523659068535gmail-">> My dear Kollegues,<br>
><br>
> Today we had discussion about how to properly name/tag images being<br>
> pushed to dockerhub. That moved towards general discussion on revision<br>
> mgmt.<br>
><br>
> Problem we're trying to solve is this:<br>
> If you build/push images today, your tag is 4.0<br>
> if you do it tomorrow, it's still 4.0, and will keep being 4.0 until<br>
> we tag new release.<br>
><br>
> But image built today is not equal to image built tomorrow, so we<br>
> would like something like 4.0.0-1, 4.0.0-2.<br>
> While we can reasonably detect history of revisions in dockerhub,<br>
> local env will be extremely hard to do.<br>
><br>
> I'd like to ask you for opinions on desired behavior and how we want<br>
> to deal with revision management in general.<br>
><br>
> Cheers,<br>
> Michal<br>
><br>
<br>
</span>What's in the images, kolla? Other OpenStack components? </blockquote><div><br></div></span><div>Yes, each image will typically contain all software required for one OpenStack service, including dependencies from OpenStack projects or the base OS. Installed via some combination of git, pip, rpm, deb. </div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Where does the<br>
4.0.0 come from?<br><br></blockquote><div><br></div></span><div>Its the python version string from the kolla project itself, so ultimately I think pbr. I'm suggesting that we switch to using the version.release_string[1] which will tag with the longer version we use for other dev packages.</div><div><br></div><div>[1]<a href="https://review.openstack.org/#/c/448380/1/kolla/common/config.py" target="_blank">https://review.openstack.<wbr>org/#/c/448380/1/kolla/common/<wbr>config.py</a> </div></div><br></div></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Regards,</font></span></div><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Jeffrey Zhang</font></span></div><div><span style="font-family:monospace,monospace;font-size:12.8px">Blog: </span><a href="http://xcodest.me/" style="font-family:monospace,monospace;font-size:12.8px" target="_blank">http://xcodest.me</a><font face="monospace, monospace"><br></font></div></div></div></div></div></div></div></div></div>
</div>