[
https://issues.apache.org/jira/browse/SOLR-15129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17279216#comment-17279216
]
Chris M. Hostetter commented on SOLR-15129:
-------------------------------------------
So... as i mentioned in SOLR-15127, I like the idea of ensuring everything
needed for the docker image is in the solr.tgz file, so that it _can_ be used
as the docker build context (ie: when having gradle build the image for you
after you've done some patch/test iterations locally)
But as far as the "official" images go, i'm liking the idea of using the
solr.tgz as the build context less and less the more I think about it....
{noformat}
docker build -f solr-9.0.0/Dockerfile
https://www.apache.org/dyn/closer.lua/lucene/solr/9.0.0/solr-9.0.0.tgz
{noformat}
>From the perspective of an arbitrary docker user, this approach feels like a
>step _backwards_ compared to the docker-solr 8.x docker images, in terms of
>transparency and "confidence" that I know what code is in a docker image
>(either the official images via "docker pull" or if i want to build it locally
>on my own)
With the 8.x line, the binary solr.tgz release artifacts are also downloaded
from a closre.lua mirror (similar to the suggested build context here) – but
the Dockerfile has a hardcoded SHA512 the solr.tgz is expected to match (giving
confidence that i'm getting the same bits the "docker-solr" team expects) and
the GPG signature of the download is vetted against the expected signature
downloaded from archive.apache.org (giving confidence that i'm getting the same
bits that the "Apache Solr" team says they published)
With the approach suggested in this jira, we wouldn't really be able to give
the same "confidence" to what's in the solr.tgz that "docker build" would be
downloading to use as a context ... we can't hardcode any SHAs or GPG
signatures into the Dockerfile / context if that Dockerfile/context is itself
coming from the (questionably trusted) solr.tgz
----
I think the idea I put forth in SOLR-15127 for building the "official" images
directly from GIT tags would give a higher level of "confidence" and
transparency...
{noformat}
docker build --build-arg SOLR_VERSION=9.0.0 --file solr/docker/Dockerfile
https://gitbox.apache.org/repos/asf/lucene-solr.git#releases/lucene-solr/9.0.0
# or if we decide to put the Dockerfile in the root dir of the solr repo once
solr is a TLP even simpler...
docker build --build-arg SOLR_VERSION=9.0.0
https://gitbox.apache.org/repos/asf/solr.git#releases/9.0.0
{noformat}
* docker build context pulled from apache hosted hardware (ie: not a
third-party mirror)
* context is a git repo, with an intrinsic "audit log" (ie: you know that the
image is built from is what the Apache Solr committers intended it to be built
from)
* context contains source code, not pre-compiled jar files
----
Aside from the philosophical questions, a practical note about the changes in
the current PR: there's a lingering reference to the {{$SOLR_VERSION}} in
{{scripts/solr-fg}} that needs to be dealt with now that you've replaced that
that ENV var with a VERSION file (see nocommit comments about this in my
SOLR-15127.patch)
> Use the Solr TGZ artifact as Docker context
> -------------------------------------------
>
> Key: SOLR-15129
> URL: https://issues.apache.org/jira/browse/SOLR-15129
> Project: Solr
> Issue Type: Sub-task
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: master (9.0)
> Reporter: Houston Putman
> Priority: Major
>
> As discussed in SOLR-15127, there is a need for a unified Dockerfile that
> allows for release and local builds.
> This ticket is an attempt to achieve this by using the Solr distribution TGZ
> as the docker context to build from.
> Therefore release images would be completely reproducible by running:
> {{docker build -f solr-9.0.0/Dockerfile
> https://www.apache.org/dyn/closer.lua/lucene/solr/9.0.0/solr-9.0.0.tgz}}
> The changes to the Solr distribution would include adding a Dockerfile at
> {{solr-<version>/Dockerfile}}, adding the docker scripts under
> {{solr-<version>/docker}}, and adding a version file at
> {{solr-<version>/VERSION.txt}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
