From 686245b87691d256f25d326c22a0935764fe15a2 Mon Sep 17 00:00:00 2001 From: Matt Matejczyk Date: Wed, 23 Oct 2019 13:33:32 +0200 Subject: [PATCH] Fix base image discrepancy when building kubemark. There are two ways of building kubemark: 1) via Dockerfile and 2) via bazel. In CI/CD tests we use the 1) way and use debian:jessie as the base image. But if you build kubemark via bazel it will use the discouraged busybox base image. This PR fixes that by using debian:jessie everywehre and pinning exact sha version to make the kubemark image hermetic. --- build/root/WORKSPACE | 8 ++++---- cluster/images/kubemark/BUILD | 2 +- cluster/images/kubemark/Dockerfile | 4 +++- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/build/root/WORKSPACE b/build/root/WORKSPACE index cf2e0164993..7e0457a1630 100644 --- a/build/root/WORKSPACE +++ b/build/root/WORKSPACE @@ -73,11 +73,11 @@ container_repositories() load("@io_bazel_rules_docker//container:container.bzl", "container_pull") container_pull( - name = "official_busybox", - digest = "sha256:5e8e0509e829bb8f990249135a36e81a3ecbe94294e7a185cc14616e5fad96bd", + name = "debian_jessie", + digest = "sha256:e25703ee6ab5b2fac31510323d959cdae31eebdf48e88891c549e55b25ad7e94", registry = "index.docker.io", - repository = "library/busybox", - tag = "latest", # ignored, but kept here for documentation + repository = "library/debian", + tag = "jessie", # ignored when digest provided, but kept here for documentation. ) load("//build:workspace.bzl", "release_dependencies") diff --git a/cluster/images/kubemark/BUILD b/cluster/images/kubemark/BUILD index b1eebb5542c..965bdc3fa9d 100644 --- a/cluster/images/kubemark/BUILD +++ b/cluster/images/kubemark/BUILD @@ -4,7 +4,7 @@ load("@io_bazel_rules_docker//container:container.bzl", "container_image", "cont container_image( name = "image", - base = "@official_busybox//image", + base = "@debian_jessie//image", entrypoint = ["/kubemark"], files = ["//cmd/kubemark"], stamp = True, diff --git a/cluster/images/kubemark/Dockerfile b/cluster/images/kubemark/Dockerfile index fb4f2873537..9c0b119667e 100644 --- a/cluster/images/kubemark/Dockerfile +++ b/cluster/images/kubemark/Dockerfile @@ -12,6 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM debian:jessie +# The line below points to debian:jessie as of 2019-10-23. The SHA should be +# kept in sycn with debian_jessie definition in the WORKSPACE file. +FROM debian@sha256:e25703ee6ab5b2fac31510323d959cdae31eebdf48e88891c549e55b25ad7e94 COPY kubemark /kubemark