build: use debian:buster as base images, non-reproducible builds #751
Conversation
|
I have already disabled the automated release update job in Jenkins. |
pohly
force-pushed
the
debian
branch
4 times, most recently
from
1274504 to
f4bb77a
Compare
The frequent updates of Clear Linux have been a problem, typically leading to new PMEM-CSI releases for no good reason other than "there might have been a bug fix". Debian is expected to update less frequently. We also no longer update automatically. The approach taken for that is to use the latest release as base, whatever that is. In other words, we no longer offer reproducible releases because there is no way to lock down exactly which files are taken from the upstream distro. Each release is only built once, so the binary content is still locked down at build time - we just don't record in the source code what exactly that binary content is. In practice that should be good enough. Compared to Clear Linux, the approach for disabling usage of udev has changed a bit. use_lvmetad is no longer a valid configuration option.
| # fio - only included in testing images | ||
| RUN ${APT_GET} update && \ | ||
| ${APT_GET} upgrade -y --no-install-recommends && \ | ||
| ${APT_GET} install -y --no-install-recommends file xfsprogs e2fsprogs lvm2 ndctl \ |
There was a problem hiding this comment.
So, now on we no longer building ndctl from the source.
There was a problem hiding this comment.
Correct. It makes our bill of materials and Dockerfile simpler. I don't think we ever really needed the ability to build a newer version than the one offered by the distro, and as ndctl is even more mature now I don't expect that either.
|
not many "clear" mentioned any more after change, but there is still (in Jenkinsfile) BUILD_IMAGE composed from |
Kind of. By keeping the name we can overwrite the existing images. Not sure how important that is, though. |
The frequent updates of Clear Linux have been a problem, typically
leading to new PMEM-CSI releases for no good reason other than "there
might have been a bug fix". Debian is expected to update less
frequently. We also no longer update automatically.
The approach taken for that is to use the latest release as base,
whatever that is. In other words, we no longer offer reproducible
releases because there is no way to lock down exactly which files are
taken from the upstream distro. Each release is only built once, so
the binary content is still locked down at build time - we just don't
record in the source code what exactly that binary content is. In
practice that should be good enough.
Compared to Clear Linux, the approach for disabling usage of udev has
changed a bit. use_lvmetad is no longer a valid configuration option.