docker

Drew Verlee 2022-08-16T15:35:35.511719Z

i'm looking at clojure docker images and realiazing how much i just trust things to work and be safe. I'm noticing that lots of clojure images are provided by the user https://hub.docker.com/u/doijanky which by url seems to be a jenkins program. Anyone know who or what group backs this effort?

Drew Verlee 2022-08-16T15:36:14.259559Z

I can't figure out anything from the https://doi-janky.infosiftr.net/ thats linked

cap10morgan 2022-08-16T15:38:27.861509Z

I don't, but I will say that sticking to the official clojure images is a good way to ensure you are dealing with known quantities. our code, pipelines, etc. are open and auditable and docker hub does a lot of vetting on our images. if there's anything you need that you're finding cumbersome to do with them, feel free to open an issue here: https://github.com/Quantisan/docker-clojure

cap10morgan 2022-08-16T15:38:44.170309Z

(I'm one of the maintainers of these images)

Drew Verlee 2022-08-16T15:38:51.657379Z

what makes something "official" though?

cap10morgan 2022-08-16T15:39:12.463149Z

https://docs.docker.com/docker-hub/official_images/

๐Ÿ‘€ 1
Drew Verlee 2022-08-16T15:47:30.678199Z

I search the "offical" docker images by "tag" they seem to all be by that user. I'm not saying thats an issue...

Drew Verlee 2022-08-16T15:48:34.898899Z

weird the tag search might be a wider search then the context of the "docker official image" ?

cap10morgan 2022-08-16T15:48:52.791129Z

These images are the official ones: https://hub.docker.com/_/clojure

cap10morgan 2022-08-16T15:49:58.198049Z

Oh you know what, that might be the Jenkins user that pushes from the official Docker CI pipeline

cap10morgan 2022-08-16T15:50:23.344469Z

I can confirm in a bit. Need to take my kid home from the oral surgeon first.

Drew Verlee 2022-08-16T15:51:26.741359Z

thanks ๐Ÿ™‚ yea, thats what i'm guessing. It's just hard to figure out whats going on there and it's nice to have at least a thin blanket of understanding.

cap10morgan 2022-08-16T15:57:11.887279Z

For sure. I have remarked to myself in the past they push with an account name that doesn't scream โ€œofficial Docker businessโ€ but don't recall off the top of my head if that's the one or not.

๐Ÿ‘ 1
Drew Verlee 2022-08-16T16:10:17.003599Z

TY for your effort here on these images, i have no idea what i would be doing without them!

cap10morgan 2022-08-16T16:27:03.464479Z

Sure thing! I rely on them heavily too. :)

cap10morgan 2022-08-16T16:28:57.142939Z

Yeah that's them. The โ€œdoiโ€œ at the beginning stands for Docker Official Images I believe. Not the most transparent choice hahaโ€ฆ

Drew Verlee 2022-08-16T18:47:43.856549Z

How would i go about making sure i get the same docker image each time given a FROM clojure:tools-deps-alpine declaration? Do i need to copy image in a private repo and pull form it?

lukasz 2022-08-16T19:12:52.618269Z

Yes, create your own image and push to your own repo, tag appropriately and don't touch it

๐Ÿ‘ 1
Drew Verlee 2022-08-16T19:13:52.524059Z

Thanks!

cap10morgan 2022-08-16T19:23:12.207879Z

you probably don't really want that. instead, use as specific a tag as you depend on (e.g. build tool version) and then o/w update from upstream regularly. o/w you're just sitting on security vulns we've pushed fixes for.

Drew Verlee 2022-08-16T19:29:17.511059Z

in FROM clojure:tools-deps-alpine the tag is tools-deps-alpine? The image is what is built from the dockerfile that uses that FROM function, and that's what is tagged and we can rely on to be the same. If we rebuild and re-tag would we expect things in tool-deps-alpine to have changed? If so, how much? i would assume it would always have tools-deps and alpine but for everything else to be udpated, is that right?

cap10morgan 2022-08-16T19:30:08.005799Z

yes, the tag comes after the colon (except for when docker refers to the whole thing as a tag just to be confusing)

cap10morgan 2022-08-16T19:30:42.677419Z

the upstream images won't change on your machines until / unless you do another explicit docker pull

๐Ÿ‘ 1
cap10morgan 2022-08-16T19:30:49.372379Z

but you should do those regularly

๐Ÿ‘ 1
cap10morgan 2022-08-16T19:33:11.716299Z

for anything that you want to manually update (b/c e.g. it might break your app in prod if a node silently pulls a newer images), you can specify any or all of the the temurin (jdk) version, the ubuntu version, the build tool and version, and whether or not it's using the alpine variant.

Drew Verlee 2022-08-16T19:35:09.492639Z

that makes sense. Somewhat unrelated question, which jdk (open, orcal, temurin) do you prefer? I get the impression it doesn't matter very much for most use cases.

cap10morgan 2022-08-16T19:35:30.353589Z

so for example, if you just have FROM clojure:tools-deps and you build that today w/o an existing clojure:tools-deps image on your machine, it will pull down an image equivalent to clojure:temurin-17-tools-deps-1.11.1.1149-jammy

cap10morgan 2022-08-16T19:35:57.635829Z

so you can specify that full tag if you want to be in charge of when any of those values change. o/w they will change from pull to pull.

cap10morgan 2022-08-16T19:36:30.290519Z

but even fully-specified tags will get security patches and what not (assuming they're still supported like temurin but not openjdk )

cap10morgan 2022-08-16T19:37:17.254599Z

temurin is currently the one and only supported jdk in these images

cap10morgan 2022-08-16T19:37:39.820339Z

the older openjdk variants are EOL'd and for supporting existing installations only

cap10morgan 2022-08-16T19:38:17.786329Z

and so, consequently, if you don't specify a jdk, you'll temurin-17 (17 b/c that's the current Java LTS release)

๐Ÿ‘ 1
lukasz 2022-08-16T20:33:13.475519Z

Yeah, I didn't clarify that - what you push to your own repo should remain frozen, and it will be based on whatever original tag you based your image on

lukasz 2022-08-16T20:33:23.349759Z

that's exactly how we locked our base image with specific JDK, baked-in support libraries etc etc