Need generalized guideline for reproducible container deployment

[manupatel007]

The base images provided for function apps create a false illusion of idempotency to users. For example, I was recently using following base image in Dockerfile - "mcr.microsoft.com/azure-functions/python:4-python3.10". It worked fine till last month. But suddenly broke in recent release. The conflict emerged due to setuptools version needed for the function app to run was lower then one mentioned in the mentioned base image which got an update.

Now in general, if the base image coupled with fixed tag(thus giving sense of static image) is subjected to regular updates, it should be explicitly marked as unsafe for production as newer release can have conflict with existing dependencies of app. On digging deeper, I found that we can club the base image with SHA256 digest of the working release and it would not get updated when newer releases are rolled out.

But then there is no public listing of all the older SHA digest for a particular image:tag combination, they just have SHA256 digest for the latest ones. Thus if image coupled with that SHA is archived someday, it will again cause surprise in production.

So I wanted to seek understanding on weather dockerized function app should be preferred in production. If yes, how shall we lock the base image?

[v-shenoy]

The primary ask of this issue is about the usage of dockerized functions in production, and handling compatibility which is a bit broad and beyond the scope of the issues in this repository. I think the right place to ask this question would be the azure-functions-docker repo.

I am transferring this issue over, and the relevant folks can reply on the thread.