[
https://issues.apache.org/jira/browse/CAMEL-22535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen updated CAMEL-22535:
--------------------------------
Priority: Minor (was: Major)
> camel-jbang-container: Missing version pinning breaks container images /
> Further improvements
> ---------------------------------------------------------------------------------------------
>
> Key: CAMEL-22535
> URL: https://issues.apache.org/jira/browse/CAMEL-22535
> Project: Camel
> Issue Type: Bug
> Components: camel-jbang
> Affects Versions: 4.13.0, 4.14.0, 4.14.1
> Reporter: Michael Weiss
> Priority: Minor
>
> I noticed that with every new Camel release, the older camel-jbang containers
> stop working. For example, camel-jbang:4.14.1 doesn’t work at all. The root
> cause appears to be that both during the image build and at startup
> (entrypoint), the image uses camel@apache/camel. This reference resolves to
> the HEAD revision of CamelJBang.java on GitHub, which is a moving target. So,
> every time you update CamelJBang.java and the DEPS declared in it, you break
> already built containers. In the case of camel-jbang:4.14.1, the jbang source
> code on GitHub was only updated to 4.14.1 several hours after the image was
> built, rendering the image broken on release day.
> Solution:
> 1) Pin camel-jbang version:
> Use dedicated
> https://github.com/apache/camel/blob/$CAMEL_JBANG_COMMIT/dsl/camel-jbang/camel-jbang-main/dist/CamelJBang.java
> instead of `camel@apache/camel` which refers to
> https://github.com/apache/camel/blob/HEAD/dsl/camel-jbang/camel-jbang-main/dist/CamelJBang.java
> Further Improvements:
> 2) Utilize Docker best practice:
> - Don't install unnecessary things. Extract only the jbang linux binaries.
> The current images also hold Windows files
> - Dockerfile instructions:
> - FROM: Whenever possible, use current official images as the basis for
> your images (see security advice below)
> - RUN/ENV: Reduce amount of RUN and ENV statements as each creates a new
> intermediate layer
> 3) Have a dedicated `camel` executable in the Image as the help references to
> this command. Important for those developing applications in the container's
> Terminal (especially for Kubernetes users). Also the entrypoint should be
> changed to `["camel"]`.
> 4) Let the jbang and aforementioned camel executable be in `/usr/local/bin`
> according to the Linux Filesystem Hierarchy Standard (FHS)
> 5) Set the JBang Version in `$HOME/.jbang/cache/version.txt`, otherwise
> `jbang version` and `camel version` shows an empty string for the JBang
> Version
> Supply chain securtity advice:
> Switch back to the official eclipse-temurin image at docker.io and do not use
> image mirrors unless you have the possibility to automatically cross-check
> and validate the image hashes between the mirror and docker.io.
> Why Official Images? These images have clear documentation, promote best
> practices and are scanned for vulnerabilities.
> If you like I can create a pull request on Github for the bugfix and
> improvements.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
