From 6d8e3b35edecc7eca110e116e5814f198215bda2 Mon Sep 17 00:00:00 2001 From: NoRePercussions Date: Tue, 12 Nov 2024 12:39:09 -0500 Subject: [PATCH] Pin container image digests * Removes surprise changes if a tag is updated. Pinning digests requires that handling these updates must be done (manually or automatically) in the repo, instead of silently occuring on end devices. This should allow for more transparent debugging if we do run into an issue. * Prevents cache invalidation when an image is updated. OSRF pushes new updates to our ROS image regularly, invalidating our cache. (https://hub.docker.com/layers/osrf/ros/noetic-desktop-full-focal/images/sha256-9b846bfafa51e85d25c0c482994b558318071d5ffd1800747c07dd3ba17c362b?context=explore) * Preserves docker metadata cache so it does not attempt to refresh it every time we run the project. Future steps: * Set a policy for updating pins and configure renovate or dependabot to assist. --- docker-compose-gpu-automated-testing.yml | 2 +- docker-compose-gpu.yml | 2 +- docker-compose-no-gpu-automated-testing.yml | 2 +- docker-compose-no-gpu.yml | 2 +- docker_auton/Dockerfile | 2 +- docker_tester_outofdate/Dockerfile | 4 ++-- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docker-compose-gpu-automated-testing.yml b/docker-compose-gpu-automated-testing.yml index 28d4a3ac..4b51f7c5 100755 --- a/docker-compose-gpu-automated-testing.yml +++ b/docker-compose-gpu-automated-testing.yml @@ -29,7 +29,7 @@ services: count: 'all' capabilities: [gpu] tileserver: - image: maptiler/tileserver-gl + image: maptiler/tileserver-gl@sha256:fb1e78a88d70ebab7044001c53459a91cbb2bdfb937c0cad657b956d1435a874 volumes: - "./maps:/data" stdin_open: true # docker run -i diff --git a/docker-compose-gpu.yml b/docker-compose-gpu.yml index ac946677..e885692a 100755 --- a/docker-compose-gpu.yml +++ b/docker-compose-gpu.yml @@ -29,7 +29,7 @@ services: count: 'all' capabilities: [gpu] tileserver: - image: maptiler/tileserver-gl + image: maptiler/tileserver-gl@sha256:fb1e78a88d70ebab7044001c53459a91cbb2bdfb937c0cad657b956d1435a874 volumes: - "./maps:/data" stdin_open: true # docker run -i diff --git a/docker-compose-no-gpu-automated-testing.yml b/docker-compose-no-gpu-automated-testing.yml index 003afd77..0642ee4d 100755 --- a/docker-compose-no-gpu-automated-testing.yml +++ b/docker-compose-no-gpu-automated-testing.yml @@ -22,7 +22,7 @@ services: device_cgroup_rules: - "c *:* rmw" tileserver: - image: maptiler/tileserver-gl + image: maptiler/tileserver-gl@sha256:fb1e78a88d70ebab7044001c53459a91cbb2bdfb937c0cad657b956d1435a874 volumes: - "./maps:/data" stdin_open: true # docker run -i diff --git a/docker-compose-no-gpu.yml b/docker-compose-no-gpu.yml index b9e6079e..c4be5de6 100755 --- a/docker-compose-no-gpu.yml +++ b/docker-compose-no-gpu.yml @@ -22,7 +22,7 @@ services: device_cgroup_rules: - "c *:* rmw" tileserver: - image: maptiler/tileserver-gl + image: maptiler/tileserver-gl@sha256:fb1e78a88d70ebab7044001c53459a91cbb2bdfb937c0cad657b956d1435a874 volumes: - "./maps:/data" stdin_open: true # docker run -i diff --git a/docker_auton/Dockerfile b/docker_auton/Dockerfile index a05558e6..4748f316 100755 --- a/docker_auton/Dockerfile +++ b/docker_auton/Dockerfile @@ -1,6 +1,6 @@ # FROM nvidia/cuda:11.6.2-base-ubuntu20.04 as CUDA -FROM osrf/ros:noetic-desktop-full-focal +FROM osrf/ros:noetic-desktop-full-focal@sha256:d574528a3ec7b047362b75d192b86baa49675be36bfee510adae82e2db29507d # COPY --from=CUDA /usr/local/cuda /usr/local/ diff --git a/docker_tester_outofdate/Dockerfile b/docker_tester_outofdate/Dockerfile index 5e5f512e..edc796dd 100755 --- a/docker_tester_outofdate/Dockerfile +++ b/docker_tester_outofdate/Dockerfile @@ -1,6 +1,6 @@ -FROM nvidia/cuda:11.6.2-base-ubuntu20.04 as CUDA +FROM nvidia/cuda:11.6.2-base-ubuntu20.04@sha256:a0dd581afdbf82ea9887dd077aebf9723aba58b51ae89acb4c58b8705b74179b as CUDA -FROM osrf/ros:noetic-desktop-full-focal +FROM osrf/ros:noetic-desktop-full-focal@sha256:d574528a3ec7b047362b75d192b86baa49675be36bfee510adae82e2db29507d COPY --from=CUDA /usr/local/cuda /usr/local/