[jira] [Commented] (SOLR-15129) Use the Solr TGZ artifact as Docker context

[Chris M. Hostetter (Jira)]

    [ 
https://issues.apache.org/jira/browse/SOLR-15129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17279216#comment-17279216
 ] 

Chris M. Hostetter commented on SOLR-15129:
-------------------------------------------

So... as i mentioned in SOLR-15127, I like the idea of ensuring everything 
needed for the docker image is in the solr.tgz file, so that it _can_ be used 
as the docker build context (ie: when having gradle build the image for you 
after you've done some patch/test iterations locally)

But as far as the "official" images go, i'm liking the idea of using the 
solr.tgz as the build context less and less the more I think about it....
{noformat}
docker build -f solr-9.0.0/Dockerfile 
https://www.apache.org/dyn/closer.lua/lucene/solr/9.0.0/solr-9.0.0.tgz
{noformat}
>From the perspective of an arbitrary docker user, this approach feels like a 
>step _backwards_ compared to the docker-solr 8.x docker images, in terms of 
>transparency and "confidence" that I know what code is in a docker image 
>(either the official images via "docker pull" or if i want to build it locally 
>on my own)

With the 8.x line, the binary solr.tgz release artifacts are also downloaded 
from a closre.lua mirror (similar to the suggested build context here) – but 
the Dockerfile has a hardcoded SHA512 the solr.tgz is expected to match (giving 
confidence that i'm getting the same bits the "docker-solr" team expects) and 
the GPG signature of the download is vetted against the expected signature 
downloaded from archive.apache.org (giving confidence that i'm getting the same 
bits that the "Apache Solr" team says they published)

With the approach suggested in this jira, we wouldn't really be able to give 
the same "confidence" to what's in the solr.tgz that "docker build" would be 
downloading to use as a context ... we can't hardcode any SHAs or GPG 
signatures into the Dockerfile / context if that Dockerfile/context is itself 
coming from the (questionably trusted) solr.tgz

 
----
I think the idea I put forth in SOLR-15127 for building the "official" images 
directly from GIT tags would give a higher level of "confidence" and 
transparency...
{noformat}
docker build --build-arg SOLR_VERSION=9.0.0 --file solr/docker/Dockerfile  
https://gitbox.apache.org/repos/asf/lucene-solr.git#releases/lucene-solr/9.0.0

# or if we decide to put the Dockerfile in the root dir of the solr repo once 
solr is a TLP even simpler...
docker build --build-arg SOLR_VERSION=9.0.0 
https://gitbox.apache.org/repos/asf/solr.git#releases/9.0.0
{noformat}
 * docker build context pulled from apache hosted hardware (ie: not a 
third-party mirror)
 * context is a git repo, with an intrinsic "audit log" (ie: you know that the 
image is built from is what the Apache Solr committers intended it to be built 
from)
 * context contains source code, not pre-compiled jar files

 
----

Aside from the philosophical questions, a practical note about the changes in 
the current PR: there's a lingering reference to the {{$SOLR_VERSION}} in 
{{scripts/solr-fg}} that needs to be dealt with now that you've replaced that 
that ENV var with a VERSION file (see nocommit comments about this in my 
SOLR-15127.patch)

> Use the Solr TGZ artifact as Docker context
> -------------------------------------------
>
>                 Key: SOLR-15129
>                 URL: https://issues.apache.org/jira/browse/SOLR-15129
>             Project: Solr
>          Issue Type: Sub-task
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: master (9.0)
>            Reporter: Houston Putman
>            Priority: Major
>
> As discussed in SOLR-15127, there is a need for a unified Dockerfile that 
> allows for release and local builds.
> This ticket is an attempt to achieve this by using the Solr distribution TGZ 
> as the docker context to build from.
> Therefore release images would be completely reproducible by running:
> {{docker build -f solr-9.0.0/Dockerfile 
> https://www.apache.org/dyn/closer.lua/lucene/solr/9.0.0/solr-9.0.0.tgz}}
> The changes to the Solr distribution would include adding a Dockerfile at 
> {{solr-<version>/Dockerfile}}, adding the docker scripts under 
> {{solr-<version>/docker}}, and adding a version file at 
> {{solr-<version>/VERSION.txt}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org