How does the docker support recognize new versions?

[lorengordon]

This is really just a usage question... Just ran into an issue with a slow-moving project where some update to an underlying docker image in the last 10 months is causing the tests to fail. Figured I'd try to better pin the docker image and enable dependabot to check and update things, so we get a heads up when this happens. But, I can't figure out how to specify the image in a way that will result in a change in a PR. The image I'm using now is centos:centos7, from the docker hub, https://hub.docker.com/_/centos/. There doesn't seem to be a new versioned tag with every update. Anything I'm missing, or will dependabot just not work for me in this particular case?

[greysteil]

Hmm, from that listing it looks like you could use centos:7.5.1804, for example. Dependabot should definitely pick up that that tag is version like.

[lorengordon]

Yeah, but that represents the centos 7.5 image of the install media, with only packages from the original ISO. It does not include any updates.

images with minor version tags that correspond to install media are also offered. These images DO NOT receive updates as they are intended to match installation iso contents

[lorengordon]

If that's my only option, I can do that, and run the updates in the Dockerfile. Was just hoping to avoid it.

[greysteil]

At the moment it's the only option 😢.

I think a really nice improvement would be for Dependabot to update digest SHAs for you if you pin to a digest SHA. That shouldn't be too hard for me to implement - I'll take a look this week.

[lorengordon]

I was thinking that would be nice as well. But the Dockerfile syntax for a SHA doesn't specify the tag that the SHA should map to. So I'm not sure how you'd know which SHA to pick from when there are updates...

https://docs.docker.com/engine/reference/commandline/pull/#pull-an-image-by-digest-immutable-identifier

So, how would we know that I want the new SHA of the centos7 image, not the centos6 image? Or maybe there's another syntax when using a SHA?

[greysteil]

I'm pretty sure you can use the format ubuntu:12.04.5@sha256:18305429afa14ea462f810146ba44d4363ae76e4c8dfc38288cf73aa07485005, which would do it. Otherwise yes - there'd be no way for us to look up the tag from the now outdated SHA.

[lorengordon]

Ahh, nice, that does work! :D

[greysteil]

A couple of improvements!

1. Dependabot now checks the digest of centos:centos7 and centos:7.5.1804, notices they're the same, and doesn't try to "update" you between then
2. Dependabot will now update the digest of your Docker image, even if the tag hasn't changed

Between the two of the above, Docker support should be a bunch better now!

[lorengordon]

@greysteil Thanks, I'll test it out tomorrow morning.

Regarding point 1... Would you mind explaining that a bit more?

What I'm worried about is that centos:centos7 and centos:7.5.1804 should almost never have the same digest... centos:7.5.1804 ought not really change, I don't think. My understanding of their approach is that tag will be generated once, when the ISO is released. Though I suppose they could update that image tag based on changes to their docker pipeline, even if they always build it to the ISO patch-set. But even then it should almost certainly be different from centos:centos7. I'd think they'd only ever be the same for the very first push of the centos:7.5.1804 tag...but perhaps that's exactly the scenario you were anticipating...

[greysteil]

Great!

Yep, that's what we're envisaging. I'm expecting the digest of centos:centos7 to change regularly, but to always be the same as the most up-to-date centos:7.x.x. Dependabot will then realise that centos:centos7 is up-to-date, and won't try to update you to any centos:7.x.x releases.

Hope that clarifies. Basically, Dependabot will now only update you if the change would actually be an update.

[lorengordon]

Hmm, so I'm not seeing a way of looking up an older digest. I'm updating one of our projects with the current digest, but it'll probably be a week or two before CentOS pushes new images.

[lorengordon]

This is working perfectly, thanks! Centos just published new images, and dependabot opened a PR with the new SHA. Very nice!

[greysteil]

Awesome! 🎉