Cloud/Cloud RFC Docker Trusted Images Rebuild Policy

From FedoraProject

Jump to: navigation, search

Contents

RFC: Rebuild Policy for Fedora Docker Trusted Images

This is a draft document to establish a policy for rebuilding the Fedora Docker Images that are available for download via The Docker Hub.

Rationale:

We have the ability to "respin" Fedora's Docker images when packages are updated, but need to determine a policy for what package updates trigger a rebuild. Fedora does not update its ISO images between release cycles, but instead depends on users to use update tools to bring Fedora up to date once an installation is finished.

However, users are going to interact with Docker images somewhat differently than a traditional system. We should assume that users will not be using "yum update" or other tools to keep an image updated.

To put it another way, when a user/developer does "docker pull fedora" they will assume that the image is ready to use and does not require a round of updates before it is usable to deploy/work with. At present, the Fedora "official" image requires 18 packages to be updated with approximately 11MB of data to be downloaded. (As of this writing [1] the package set that requires an update is minimal, and the actual image is about 4 months old.)

Stable Releases Only:

This policy applies to stable releases only. Release/rebuild policy for rawhide, pre-beta, alpha, beta, and release candidate images is not affected by this policy.

Rebuild Policy (F21 Cycle):

For the first official cycle, we should support a regular release cadence, supplemented by a rebuiild if there are any security updates that affect the Fedora Docker package set. (See Appendix B, currently, though this set may change slightly for F21.)

Release Cadence:

For the Fedora 21 cycle, the official Docker image will be rebuilt on a monthly cycle to pull in all updates to packages that compose the image.

Further, any security updates to packages in the official image will trigger a rebuild, regardless of the lenght of time since the last rebuild.

In the event of a security update, all packages with updates pending will be included - regardless of whether they're updated for a security fix or not.

If no packages are pending updates, no rebuild will be required.

Example:

Two weeks after Fedora 21 is released, 10 packages in the set have pending updates, but none of the pending updates are security related - there will be no rebuild. Two weeks and one day after the release, the curl package receives a security update.

The curl update will trigger a rebuild, and all 11 packages that have pending updates will be included.

After the security rebuild, four more packages in the package set receive updates. These will be rolled up into the monthly update.

Supported Layered Images

The CWG may choose to support some of the layered images (see list of Dockerfiles on GitHub), and these may require additional policy. However, we have not established yet which images we support beyond the base Fedora image.

Re-Evaluate

Fedora 21 will be the first cycle with an "official" Docker image for Fedora. We should plan to re-evaluate this policy by the time Fedora 22 is in alpha, and decide whether it's working for end users and an acceptable workload for the groups in Fedora that support the Docker image.

Appendix A: Footnote 1

This is the package set that would require an update as of 18 August 2014. The Fedora Docker image was updated / created 4 weeks ago according to the Docker data.

bash
curl
gnupg2
krb5-libs
libcurl
libtasn1
man-db
openldap
openssh
openssh-clients
openssl-libs
p11-kit
p11-kit-trust
pcre
python-six
readline
systemd
systemd-libs

Appendix B: Current set of Packages in the Fedora Docker Image

acl-2.2.52-4.fc20.x86_64
audit-libs-2.3.7-1.fc20.x86_64
basesystem-10.0-9.fc20.noarch
bash-4.2.47-2.fc20.x86_64
bzip2-libs-1.0.6-9.fc20.x86_64
ca-certificates-2013.1.97-1.fc20.noarch
chkconfig-1.3.60-4.fc20.x86_64
coreutils-8.21-21.fc20.x86_64
cpio-2.11-25.fc20.x86_64
cracklib-2.9.0-5.fc20.x86_64
cracklib-dicts-2.9.0-5.fc20.x86_64
cronie-1.4.11-4.fc20.x86_64
cronie-noanacron-1.4.11-4.fc20.x86_64
crontabs-1.11-7.20130830git.fc20.noarch
cryptsetup-libs-1.6.4-1.fc20.x86_64
curl-7.32.0-11.fc20.x86_64
cyrus-sasl-lib-2.1.26-14.fc20.x86_64
dbus-1.6.12-9.fc20.x86_64
dbus-libs-1.6.12-9.fc20.x86_64
device-mapper-1.02.85-1.fc20.x86_64
device-mapper-libs-1.02.85-1.fc20.x86_64
diffutils-3.3-4.fc20.x86_64
dracut-037-11.git20140402.fc20.x86_64
dracut-config-rescue-037-11.git20140402.fc20.x86_64
dtc-1.4.0-2.fc20.x86_64
elfutils-libelf-0.158-4.fc20.x86_64
expat-2.1.0-7.fc20.x86_64
fedora-release-20-3.noarch
file-libs-5.19-1.fc20.x86_64
filesystem-3.2-19.fc20.x86_64
findutils-4.5.11-4.fc20.x86_64
fipscheck-1.4.1-2.fc20.x86_64
fipscheck-lib-1.4.1-2.fc20.x86_64
gawk-4.1.0-3.fc20.x86_64
gdbm-1.10-7.fc20.x86_64
glib2-2.38.2-2.fc20.x86_64
glibc-2.18-12.fc20.x86_64
glibc-common-2.18-12.fc20.x86_64
gmp-5.1.2-2.fc20.x86_64
gnupg2-2.0.24-1.fc20.x86_64
gpgme-1.3.2-4.fc20.x86_64
grep-2.18-1.fc20.x86_64
groff-base-1.22.2-8.fc20.x86_64
gzip-1.6-2.fc20.x86_64
hardlink-1.0-18.fc20.x86_64
hostname-3.13-2.fc20.x86_64
info-5.1-4.fc20.x86_64
initscripts-9.51-2.fc20.x86_64
iproute-3.14.0-2.fc20.x86_64
iptables-1.4.19.1-1.fc20.x86_64
iputils-20140519-1.fc20.x86_64
keyutils-libs-1.5.9-1.fc20.x86_64
kmod-15-1.fc20.x86_64
kmod-libs-15-1.fc20.x86_64
kpartx-0.4.9-56.fc20.x86_64
krb5-libs-1.11.5-5.fc20.x86_64
less-458-7.fc20.x86_64
libacl-2.2.52-4.fc20.x86_64
libassuan-2.1.0-2.fc20.x86_64
libattr-2.4.47-3.fc20.x86_64
libblkid-2.24.2-1.fc20.x86_64
libcap-2.22-7.fc20.x86_64
libcap-ng-0.7.4-1.fc20.x86_64
libcom_err-1.42.8-3.fc20.x86_64
libcurl-7.32.0-11.fc20.x86_64
libdb-5.3.28-1.fc20.x86_64
libdb-utils-5.3.28-1.fc20.x86_64
libedit-3.1-2.20130601cvs.fc20.x86_64
libffi-3.0.13-5.fc20.x86_64
libgcc-4.8.3-1.fc20.x86_64
libgcrypt-1.5.3-2.fc20.x86_64
libgpg-error-1.12-1.fc20.x86_64
libidn-1.28-2.fc20.x86_64
libmetalink-0.1.2-4.fc20.x86_64
libmount-2.24.2-1.fc20.x86_64
libpipeline-1.2.4-2.fc20.x86_64
libpwquality-1.2.3-1.fc20.x86_64
libselinux-2.2.1-6.fc20.x86_64
libsemanage-2.1.10-14.fc20.x86_64
libsepol-2.1.9-2.fc20.x86_64
libssh2-1.4.3-9.fc20.x86_64
libstdc++-4.8.3-1.fc20.x86_64
libtasn1-3.6-1.fc20.x86_64
libuser-0.60-3.fc20.x86_64
libutempter-1.1.6-3.fc20.x86_64
libuuid-2.24.2-1.fc20.x86_64
libverto-0.2.5-3.fc20.x86_64
libxml2-2.9.1-2.fc20.x86_64
linux-atm-libs-2.5.1-8.fc20.x86_64
lua-5.2.2-5.fc20.x86_64
man-db-2.6.5-2.fc20.x86_64
ncurses-5.9-12.20130511.fc20.x86_64
ncurses-base-5.9-12.20130511.fc20.noarch
ncurses-libs-5.9-12.20130511.fc20.x86_64
nspr-4.10.6-1.fc20.x86_64
nss-3.16.2-1.fc20.x86_64
nss-softokn-3.16.2-1.fc20.x86_64
nss-softokn-freebl-3.16.2-1.fc20.x86_64
nss-sysinit-3.16.2-1.fc20.x86_64
nss-tools-3.16.2-1.fc20.x86_64
nss-util-3.16.2-1.fc20.x86_64
openldap-2.4.39-3.fc20.x86_64
openssh-6.4p1-4.fc20.x86_64
openssh-clients-6.4p1-4.fc20.x86_64
openssl-libs-1.0.1e-38.fc20.x86_64
p11-kit-0.20.2-1.fc20.x86_64
p11-kit-trust-0.20.2-1.fc20.x86_64
pam-1.1.8-1.fc20.x86_64
passwd-0.79-2.fc20.x86_64
pcre-8.33-5.fc20.x86_64
pinentry-0.8.1-11.fc20.x86_64
pkgconfig-0.28-3.fc20.x86_64
popt-1.16-2.fc20.x86_64
procps-ng-3.3.8-17.fc20.x86_64
pth-2.0.7-21.fc20.x86_64
pygpgme-0.3-8.fc20.x86_64
pyliblzma-0.5.3-10.fc20.x86_64
python-2.7.5-13.fc20.x86_64
python-iniparse-0.4-9.fc20.noarch
python-libs-2.7.5-13.fc20.x86_64
python-pycurl-7.19.3-1.fc20.x86_64
python-six-1.6.1-1.fc20.noarch
python-urlgrabber-3.10.1-0.fc20.noarch
pyxattr-0.5.1-4.fc20.x86_64
qrencode-libs-3.4.2-1.fc20.x86_64
readline-6.2-8.fc20.x86_64
rootfiles-8.1-16.fc20.noarch
rpm-4.11.2-2.fc20.x86_64
rpm-build-libs-4.11.2-2.fc20.x86_64
rpm-libs-4.11.2-2.fc20.x86_64
rpm-python-4.11.2-2.fc20.x86_64
rsync-3.1.0-5.fc20.x86_64
sed-4.2.2-6.fc20.x86_64
setup-2.8.71-2.fc20.noarch
shadow-utils-4.1.5.1-8.fc20.x86_64
shared-mime-info-1.2-7.fc20.x86_64
sqlite-3.8.5-1.fc20.x86_64
sudo-1.8.8-1.fc20.x86_64
systemd-208-19.fc20.x86_64
systemd-libs-208-19.fc20.x86_64
sysvinit-tools-2.88-14.dsf.fc20.x86_64
tar-1.26-31.fc20.x86_64
tcp_wrappers-libs-7.6-76.fc20.x86_64
tzdata-2014e-1.fc20.noarch
uboot-tools-2013.10-3.fc20.x86_64
ustr-1.0.4-15.fc20.x86_64
util-linux-2.24.2-1.fc20.x86_64
vim-minimal-7.4.179-1.fc20.x86_64
xz-5.1.2-12alpha.fc20.x86_64
xz-libs-5.1.2-12alpha.fc20.x86_64
yum-3.4.3-152.fc20.noarch
yum-metadata-parser-1.1.4-9.fc20.x86_64
zlib-1.2.8-3.fc20.x86_64