[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Docker and the OCI container ecosystem

Docker and the OCI container ecosystem

Posted Jul 26, 2022 21:21 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
In reply to: Docker and the OCI container ecosystem by jordan
Parent article: Docker and the OCI container ecosystem

> At a previous employer, we had internal Debian "mirrors" maintained with aptly that held on to every version of the package they'd ever seen, and explicitly specified the version of each package in a manifest file. As you say, more complex infrastructure.

There is a Debian snapshot service ( https://snapshot.debian.org/ ) that preserves all the Debian history. So you can just refer to timestamped sources in your APT config. E.g.: https://snapshot.debian.org/archive/debian/20220720T151841Z/

I'm not sure this service can survive if more people start using it, though. It's pretty slow as it is :( We pipe it through our own proxy that basically stores every artifact, to make sure we don't bring it down.

to post comments

Docker and the OCI container ecosystem

Posted Jul 26, 2022 21:24 UTC (Tue) by jordan (subscriber, #110573) [Link] (1 responses)

Sure, but using Debian snapshots would mean that you'd have to take all the updates in the snapshot that you moved to at once, and that you'd have to take updates in the order they were supplied upstream. Having a packrat mirror that holds on to all the versions gives you more flexibility in deciding what you want to update and when.

Docker and the OCI container ecosystem

Posted Jul 26, 2022 21:34 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

> Sure, but using Debian snapshots would mean that you'd have to take all the updates in the snapshot that you moved to at once

Yeah, but this is usually OK. It also makes it easier to audit dockerfiles to check if they cover all CVEs in the base Debian image.

We also have a script that checks if an image contains packages that are different between two snapshots, this helps to automate "empty" version bumps. Not perfect, but it helps.

We also tried Nix that gives strong reproducibility gurantees, but it wastes way too much time on rebuilding everything.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds