Hi,
What
I'd like to propose adding a new check - Docker images published by monitored projects must be multi-arch!
By multi-arch I think that amd64 and arm64 should be mandatory! ppc64le, s390x and other architectures are nice to have!
How
The (optional) fully qualified name of Docker image(s) will be added to the YAML files at https://github.com/cncf/clomonitor/blob/main/data/ for the projects which publish such.
The new check may use DockerHub REST APIs to get the manifest.
If the REST API cannot be used for some reason (e.g. the project publishes at an alternative Docker registry) then the new check may use docker-inspect (or podman-inspect) to list the supported architectures, but this requires docker pulling the image locally!
Why
Many projects still provide amd64 (x86_64) only images.
But ARM64 is more and more used both for server deployments (most cloud providers provide ARM64 VMs) and for development (Apple M1/M2/M3 and some Linux laptops).
I understand that most of the other available checks work with the contents of the (Git) repository, e.g. check that a specific content is provided in a specific file.
The proposed new check would work with "an external resource" (the Docker image/manifest), so it is similar to the Scoreboard based checks, more specifically to the signed_release check.
What do you think ?
I am willing to work on this new check if the community approves the idea !
Hi,
What
I'd like to propose adding a new check - Docker images published by monitored projects must be multi-arch!
By multi-arch I think that
amd64andarm64should be mandatory!ppc64le,s390xand other architectures are nice to have!How
The (optional) fully qualified name of Docker image(s) will be added to the YAML files at https://github.com/cncf/clomonitor/blob/main/data/ for the projects which publish such.
The new check may use DockerHub REST APIs to get the manifest.
If the REST API cannot be used for some reason (e.g. the project publishes at an alternative Docker registry) then the new check may use
docker-inspect(orpodman-inspect) to list the supported architectures, but this requiresdocker pulling the image locally!Why
Many projects still provide
amd64(x86_64) only images.But ARM64 is more and more used both for server deployments (most cloud providers provide ARM64 VMs) and for development (Apple M1/M2/M3 and some Linux laptops).
I understand that most of the other available checks work with the contents of the (Git) repository, e.g. check that a specific content is provided in a specific file.
The proposed new check would work with "an external resource" (the Docker image/manifest), so it is similar to the Scoreboard based checks, more specifically to the
signed_releasecheck.What do you think ?
I am willing to work on this new check if the community approves the idea !