hi! as part of doing the work to enable IO ITs, we decided we want to use docker. As part of that, we need to run docker images and they'll probably be pulled from a docker repository.
Questions: * What docker repositories (and users on docker hub) do we as a group allow for images we'll run for hosted data stores? -> My proposal is we should only use repositories/images that are regularly updated and that have someone saying that the images we depend on are secure. In the set of images currently linked to by checked in code/in PR code, quay.io and official docker images seem fine. They both have security scans (for what that's worth) and generally seem okay. * Do we pin to particular docker images or allow our version to float? -> I have seen docker images change in insecure way (e.g. switching the name of the password parameter, meaning that the data store was secure when set up, and became insecure because no password was set after the image update), so I'd prefer to pin to particular versions, and update on a periodic basis. I'm relatively new to docker best practices, so I'm open to suggestions on this. Current ITs with docker images: * Jdbc - https://hub.docker.com/_/postgres/ (official image) * Elasticsearch - https://hub.docker.com/r/sebp/elk/ (semi-official looking image) * (PR in-flight <https://github.com/apache/beam/pull/2193/files#diff-a630b5fff9aebc9e99a3f324c9cf75a9R52>) HadoopInputFormat's elasticsearch and cassandra tests - https://hub.docker.com/_/cassandra/ and https://quay.io/repository/pires/docker-elasticsearch-kubernetes?tag=5.2.2&tab=tags (official image, and image from quay.io, which provides security audits of their images) The more I think about it, the less I'm excited about the sebp/elk image - I'm sure it's fine, but I'd prefer using images from a source that we know is trying to check for security problems. There's a secondary problem that we're using two different elasticsearch images - I'd like to use only one image. I'll follow up on that - https://issues.apache.org/jira/browse/BEAM-1644 S
