Description
At the moment we use the base image "ubuntu:22.04". This tag is mutable and points at the most recent build of the Ubuntu 22.04 image. At the time of writing this, that would be "ubuntu:focal-20230126". Similarly, we use the base image "docker.elastic.co/ubi8/ubi-minimal" for RedHat UBI-based images.
Using mutable tags like these makes our images less easily reproducible, since we then need to work back from a previously built image to identify the exact base image; and we would then need to ensure the locally cached base image is that exact version.
A secondary issue is that the images are rebuilt and published infrequently -- for ubuntu, (approximately?) every month. We should ideally be keeping the base image's packages more up-to-date than this. Somewhat related, we have a need to install additional OS packages in the ubuntu base image, for example to install up-to-date CA certificates: #10332
Finally, we label our images with the build time. This currently makes some sense, since our images are not reproducible, and are indirectly dependent on the time at which they are built (i.e. due of the availability of a new base image).
I would like us to:
- Regularly build and publish derivative base images, with OS packages kept up to date; and any additionally required packages installed. These images should be publicly available for transparency, and to enable others to build our images.
- Reference the base images by their immutable (sha256) content hash, automatically updating this via a CI job in active release branches.
- Label image with the Git commit timestamp, rather than the build time.
Validation criteria:
make package-dockerwill reproducibly build the exact same images from a given apm-server commit.- The above excludes Ironbank images, which we do not build directly. The build context should be reproducible.