Michael Weiss created CAMEL-22535:
-------------------------------------
Summary: camel-jbang-container: Missing version pinning breaks
container images / Further improvements
Key: CAMEL-22535
URL: https://issues.apache.org/jira/browse/CAMEL-22535
Project: Camel
Issue Type: Bug
Components: camel-jbang
Affects Versions: 4.14.1, 4.14.0, 4.13.0
Reporter: Michael Weiss
I noticed that with every new Camel release, the older camel-jbang containers
stop working. For example, camel-jbang:4.14.1 doesn’t work at all. The root
cause appears to be that both during the image build and at startup
(entrypoint), the image uses camel@apache/camel. This reference resolves to the
HEAD revision of CamelJBang.java on GitHub, which is a moving target. So, every
time you update CamelJBang.java and the DEPS declared in it, you break already
built containers. In the case of camel-jbang:4.14.1, the jbang source code on
GitHub was only updated to 4.14.1 several hours after the image was built,
rendering the image broken on release day.
Solution:
1) Pin camel-jbang version:
Use dedicated
https://github.com/apache/camel/blob/$CAMEL_JBANG_COMMIT/dsl/camel-jbang/camel-jbang-main/dist/CamelJBang.java
instead of `camel@apache/camel` which refers to
https://github.com/apache/camel/blob/HEAD/dsl/camel-jbang/camel-jbang-main/dist/CamelJBang.java
Further Improvements:
2) Utilize Docker best practice:
- Don't install unnecessary things. Extract only the jbang linux binaries. The
current images also hold Windows files
- Dockerfile instructions:
- FROM: Whenever possible, use current official images as the basis for
your images (see security advice below)
- RUN/ENV: Reduce amount of RUN and ENV statements as each creates a new
intermediate layer
3) Have a dedicated `camel` executable in the Image as the help references to
this command. Important for those developing applications in the container's
Terminal (especially for Kubernetes users). Also the entrypoint should be
changed to `["camel"]`.
4) Let the jbang and aforementioned camel executable be in `/usr/local/bin`
according to the Linux Filesystem Hierarchy Standard (FHS)
5) Set the JBang Version in `$HOME/.jbang/cache/version.txt`, otherwise `jbang
version` and `camel version` shows an empty string for the JBang Version
Supply chain securtity advice:
Switch back to the official eclipse-temurin image at docker.io and do not use
image mirrors unless you have the possibility to automatically cross-check and
validate the image hashes between the mirror and docker.io.
Why Official Images? These images have clear documentation, promote best
practices and are scanned for vulnerabilities.
If you like I can create a pull request on Github for the bugfix and
improvements.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
