RFC: Rebuild Policy for Fedora Docker Trusted Images
This is a draft document to establish a policy for rebuilding the Fedora Docker Images that are available for download via The Docker Hub.
Rationale:
We have the ability to "respin" Fedora's Docker images when packages are updated, but need to determine a policy for what package updates trigger a rebuild. Fedora does not update its ISO images between release cycles, but instead depends on users to use update tools to bring Fedora up to date once an installation is finished.
However, users are going to interact with Docker images somewhat differently than a traditional system. We should assume that users will not be using "yum update" or other tools to keep an image updated.
To put it another way, when a user/developer does "docker pull fedora" they will assume that the image is ready to use and does not require a round of updates before it is usable to deploy/work with. At present, the Fedora "official" image requires 18 packages to be updated with approximately 11MB of data to be downloaded. (As of this writing [1] the package set that requires an update is minimal, and the actual image is about 4 months old.)
Stable Releases Only:
This policy applies to stable releases only. Release/rebuild policy for rawhide, pre-beta, alpha, beta, and release candidate images is not affected by this policy.
Rebuild Policy (F21 Cycle):
For the first official cycle, we should support a regular release cadence, supplemented by a rebuiild if there are any security updates that affect the Fedora Docker package set. (See Appendix B, currently, though this set may change slightly for F21.)
Release Cadence:
For the Fedora 21 cycle, the official Docker image will be rebuilt on a monthly cycle to pull in all updates to packages that compose the image.
Further, any security updates to packages in the official image will trigger a rebuild, regardless of the lenght of time since the last rebuild.
In the event of a security update, all packages with updates pending will be included - regardless of whether they're updated for a security fix or not.
If no packages are pending updates, no rebuild will be required.
Example:
Two weeks after Fedora 21 is released, 10 packages in the set have pending updates, but none of the pending updates are security related - there will be no rebuild. Two weeks and one day after the release, the curl package receives a security update.
The curl update will trigger a rebuild, and all 11 packages that have pending updates will be included.
After the security rebuild, four more packages in the package set receive updates. These will be rolled up into the monthly update.
Supported Layered Images
The CWG may choose to support some of the layered images (see list of Dockerfiles on GitHub), and these may require additional policy. However, we have not established yet which images we support beyond the base Fedora image.
Re-Evaluate
Fedora 21 will be the first cycle with an "official" Docker image for Fedora. We should plan to re-evaluate this policy by the time Fedora 22 is in alpha, and decide whether it's working for end users and an acceptable workload for the groups in Fedora that support the Docker image.
Appendix A: Footnote 1
This is the package set that would require an update as of 18 August 2014. The Fedora Docker image was updated / created 4 weeks ago according to the Docker data.
bash
curl
gnupg2
krb5-libs
libcurl
libtasn1
man-db
openldap
openssh
openssh-clients
openssl-libs
p11-kit
p11-kit-trust
pcre
python-six
readline
systemd
systemd-libs
Appendix B: Current set of Packages in the Fedora Docker Image
acl-2.2.52-4.fc20.x86_64 audit-libs-2.3.7-1.fc20.x86_64 basesystem-10.0-9.fc20.noarch bash-4.2.47-2.fc20.x86_64 bzip2-libs-1.0.6-9.fc20.x86_64 ca-certificates-2013.1.97-1.fc20.noarch chkconfig-1.3.60-4.fc20.x86_64 coreutils-8.21-21.fc20.x86_64 cpio-2.11-25.fc20.x86_64 cracklib-2.9.0-5.fc20.x86_64 cracklib-dicts-2.9.0-5.fc20.x86_64 cronie-1.4.11-4.fc20.x86_64 cronie-noanacron-1.4.11-4.fc20.x86_64 crontabs-1.11-7.20130830git.fc20.noarch cryptsetup-libs-1.6.4-1.fc20.x86_64 curl-7.32.0-11.fc20.x86_64 cyrus-sasl-lib-2.1.26-14.fc20.x86_64 dbus-1.6.12-9.fc20.x86_64 dbus-libs-1.6.12-9.fc20.x86_64 device-mapper-1.02.85-1.fc20.x86_64 device-mapper-libs-1.02.85-1.fc20.x86_64 diffutils-3.3-4.fc20.x86_64 dracut-037-11.git20140402.fc20.x86_64 dracut-config-rescue-037-11.git20140402.fc20.x86_64 dtc-1.4.0-2.fc20.x86_64 elfutils-libelf-0.158-4.fc20.x86_64 expat-2.1.0-7.fc20.x86_64 fedora-release-20-3.noarch file-libs-5.19-1.fc20.x86_64 filesystem-3.2-19.fc20.x86_64 findutils-4.5.11-4.fc20.x86_64 fipscheck-1.4.1-2.fc20.x86_64 fipscheck-lib-1.4.1-2.fc20.x86_64 gawk-4.1.0-3.fc20.x86_64 gdbm-1.10-7.fc20.x86_64 glib2-2.38.2-2.fc20.x86_64 glibc-2.18-12.fc20.x86_64 glibc-common-2.18-12.fc20.x86_64 gmp-5.1.2-2.fc20.x86_64 gnupg2-2.0.24-1.fc20.x86_64 gpgme-1.3.2-4.fc20.x86_64 grep-2.18-1.fc20.x86_64 groff-base-1.22.2-8.fc20.x86_64 gzip-1.6-2.fc20.x86_64 hardlink-1.0-18.fc20.x86_64 hostname-3.13-2.fc20.x86_64 info-5.1-4.fc20.x86_64 initscripts-9.51-2.fc20.x86_64 iproute-3.14.0-2.fc20.x86_64 iptables-1.4.19.1-1.fc20.x86_64 iputils-20140519-1.fc20.x86_64 keyutils-libs-1.5.9-1.fc20.x86_64 kmod-15-1.fc20.x86_64 kmod-libs-15-1.fc20.x86_64 kpartx-0.4.9-56.fc20.x86_64 krb5-libs-1.11.5-5.fc20.x86_64 less-458-7.fc20.x86_64 libacl-2.2.52-4.fc20.x86_64 libassuan-2.1.0-2.fc20.x86_64 libattr-2.4.47-3.fc20.x86_64 libblkid-2.24.2-1.fc20.x86_64 libcap-2.22-7.fc20.x86_64 libcap-ng-0.7.4-1.fc20.x86_64 libcom_err-1.42.8-3.fc20.x86_64 libcurl-7.32.0-11.fc20.x86_64 libdb-5.3.28-1.fc20.x86_64 libdb-utils-5.3.28-1.fc20.x86_64 libedit-3.1-2.20130601cvs.fc20.x86_64 libffi-3.0.13-5.fc20.x86_64 libgcc-4.8.3-1.fc20.x86_64 libgcrypt-1.5.3-2.fc20.x86_64 libgpg-error-1.12-1.fc20.x86_64 libidn-1.28-2.fc20.x86_64 libmetalink-0.1.2-4.fc20.x86_64 libmount-2.24.2-1.fc20.x86_64 libpipeline-1.2.4-2.fc20.x86_64 libpwquality-1.2.3-1.fc20.x86_64 libselinux-2.2.1-6.fc20.x86_64 libsemanage-2.1.10-14.fc20.x86_64 libsepol-2.1.9-2.fc20.x86_64 libssh2-1.4.3-9.fc20.x86_64 libstdc++-4.8.3-1.fc20.x86_64 libtasn1-3.6-1.fc20.x86_64 libuser-0.60-3.fc20.x86_64 libutempter-1.1.6-3.fc20.x86_64 libuuid-2.24.2-1.fc20.x86_64 libverto-0.2.5-3.fc20.x86_64 libxml2-2.9.1-2.fc20.x86_64 linux-atm-libs-2.5.1-8.fc20.x86_64 lua-5.2.2-5.fc20.x86_64 man-db-2.6.5-2.fc20.x86_64 ncurses-5.9-12.20130511.fc20.x86_64 ncurses-base-5.9-12.20130511.fc20.noarch ncurses-libs-5.9-12.20130511.fc20.x86_64 nspr-4.10.6-1.fc20.x86_64 nss-3.16.2-1.fc20.x86_64 nss-softokn-3.16.2-1.fc20.x86_64 nss-softokn-freebl-3.16.2-1.fc20.x86_64 nss-sysinit-3.16.2-1.fc20.x86_64 nss-tools-3.16.2-1.fc20.x86_64 nss-util-3.16.2-1.fc20.x86_64 openldap-2.4.39-3.fc20.x86_64 openssh-6.4p1-4.fc20.x86_64 openssh-clients-6.4p1-4.fc20.x86_64 openssl-libs-1.0.1e-38.fc20.x86_64 p11-kit-0.20.2-1.fc20.x86_64 p11-kit-trust-0.20.2-1.fc20.x86_64 pam-1.1.8-1.fc20.x86_64 passwd-0.79-2.fc20.x86_64 pcre-8.33-5.fc20.x86_64 pinentry-0.8.1-11.fc20.x86_64 pkgconfig-0.28-3.fc20.x86_64 popt-1.16-2.fc20.x86_64 procps-ng-3.3.8-17.fc20.x86_64 pth-2.0.7-21.fc20.x86_64 pygpgme-0.3-8.fc20.x86_64 pyliblzma-0.5.3-10.fc20.x86_64 python-2.7.5-13.fc20.x86_64 python-iniparse-0.4-9.fc20.noarch python-libs-2.7.5-13.fc20.x86_64 python-pycurl-7.19.3-1.fc20.x86_64 python-six-1.6.1-1.fc20.noarch python-urlgrabber-3.10.1-0.fc20.noarch pyxattr-0.5.1-4.fc20.x86_64 qrencode-libs-3.4.2-1.fc20.x86_64 readline-6.2-8.fc20.x86_64 rootfiles-8.1-16.fc20.noarch rpm-4.11.2-2.fc20.x86_64 rpm-build-libs-4.11.2-2.fc20.x86_64 rpm-libs-4.11.2-2.fc20.x86_64 rpm-python-4.11.2-2.fc20.x86_64 rsync-3.1.0-5.fc20.x86_64 sed-4.2.2-6.fc20.x86_64 setup-2.8.71-2.fc20.noarch shadow-utils-4.1.5.1-8.fc20.x86_64 shared-mime-info-1.2-7.fc20.x86_64 sqlite-3.8.5-1.fc20.x86_64 sudo-1.8.8-1.fc20.x86_64 systemd-208-19.fc20.x86_64 systemd-libs-208-19.fc20.x86_64 sysvinit-tools-2.88-14.dsf.fc20.x86_64 tar-1.26-31.fc20.x86_64 tcp_wrappers-libs-7.6-76.fc20.x86_64 tzdata-2014e-1.fc20.noarch uboot-tools-2013.10-3.fc20.x86_64 ustr-1.0.4-15.fc20.x86_64 util-linux-2.24.2-1.fc20.x86_64 vim-minimal-7.4.179-1.fc20.x86_64 xz-5.1.2-12alpha.fc20.x86_64 xz-libs-5.1.2-12alpha.fc20.x86_64 yum-3.4.3-152.fc20.noarch yum-metadata-parser-1.1.4-9.fc20.x86_64 zlib-1.2.8-3.fc20.x86_64