[openstack-dev] [tc][infra][release][security][stable][kolla][loci][tripleo][docker][kubernetes] do we want to be publishing binary container images?
Thierry Carrez
thierry at openstack.org
Wed May 17 10:19:22 UTC 2017
Sean Dague wrote:
> On 05/16/2017 02:39 PM, Doug Hellmann wrote:
>> Excerpts from Michał Jastrzębski's message of 2017-05-16 09:51:00 -0700:
>>> One thing I struggle with is...well...how does *not having* built
>>> containers help with that? If your company have full time security
>>> team, they can check our containers prior to deployment. If your
>>> company doesn't, then building locally will be subject to same risks
>>> as downloading from dockerhub. Difference is, dockerhub containers
>>> were tested in our CI to extend that our CI allows. No matter whether
>>> or not you have your own security team, local CI, staging env, that
>>> will be just a little bit of testing on top of that which you get for
>>> free, and I think that's value enough for users to push for this.
>>
>> The benefit of not building images ourselves is that we are clearly
>> communicating that the responsibility for maintaining the images
>> falls on whoever *does* build them. There can be no question in any
>> user's mind that the community somehow needs to maintain the content
>> of the images for them, just because we're publishing new images
>> at some regular cadence.
>
> +1. It is really easy to think that saying "don't use this in
> production" prevents people from using it in production. See: User
> Survey 2017 and the number of folks reporting DevStack as their
> production deployment tool.
>
> We need to not only manage artifacts, but expectations. And with all the
> confusion of projects in the openstack git namespace being officially
> blessed openstack projects over the past few years, I can't imagine
> people not thinking that openstack infra generated content in dockerhub
> is officially supported content.
I totally agree, although I think daily rebuilds / per-commit rebuilds,
together with a properly named repository, might limit expectations
enough to remove the "supported" part of your sentence.
As a parallel, we refresh per-commit a Nova master source code tarball
(nova-master.tar.gz). If a vulnerability is introduced in master but was
never "released" with a version number, we silently fix it in master (no
OSSA advisory published). People tracking master are supposed to be
continuously tracking master.
Back to container image world, if we refresh those images daily and they
are not versioned or archived (basically you can only use the latest and
can't really access past dailies), I think we'd be in a similar situation ?
--
Thierry Carrez (ttx)
More information about the OpenStack-dev
mailing list