potiuk edited a comment on issue #4543: [AIRFLOW-3718] Multi-layered version of the docker image URL: https://github.com/apache/airflow/pull/4543#issuecomment-455904301 @fokko -> --pull flag is a good idea. It won't change DockerHub build behaviour as they are always starting from a clean docker when building image (to get repeatable builds). But it's good for anyone building it on their own environment which might not be clean. As far as why `apt-get upgrade -y` is a bad idea - i am not sure any of the comments in the Stack Overflow question you copied actually say that. And I am not sure how `docker build --pull` is tied with not having to use `apt-get upgrade`. Just `build --pull` is not solving all security issues - it only forces rebuild when there is an update to the python3.6-slim base image which is happenning every 1.5 months or so so far - mostly because new python3.6 minor version has been relased. We are installing a lot more via apt-get and using apt-get upgrade is a good idea to keep (for security mostly). Plus if we are really concerned that building from the scratch might not work for some people, why don't we simply run two image builds in parallel - latest (using the cache) and latest-clean (without cache - similar as release builds). This way we can be notified immediately when the "clean" build goes out of sync with the cached one enough that it starts to fail (which should be extremely rare if at all taking into account that we will be rebuilding the whole image from the scratch always when new python version gets released and when we do a release candidate of a new release). And if we find any issue and fix it - we can (after fixing it) force-rebuild latest image by increasing the vairiable in docker file. In my latest PR change I did exactly this - whenever "release" or "latest-clean" image is build I replace --cache-from with --no-cache option and if we configure those parallel builds (i did it in my dockerhub ) - they will all be built in parallel - but then latest will be using cache which is benefitial for the users downloading it regularly.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
