Publish the Docker image to a public repository #2441
Comments
|
I would regard that to be a part of #1901, but I'll leave this issue open to make the request explicit. |
sschuberth
added
docker
|
We also need official docker images for this. Currently we're occasionally creating a docker-image from the master and tag them with a date timestamp since we want immutable images for analyzing our code. We do this by including the repo as as submodule in our repository: Docker images van be found here: |
|
We did not publish an Docker image for ORT as the ORT maintainers would like to be compliant with the FLOSS licenses contained in such an ORT Docker image. We can easily generate SBOM for ORT itself but not for the rest of the tools that would make up such a ORT Docker image. Ideally, we build the ORT Docker image from scratch so we can publish the image and corresponding source code but that's not an easy task since we use a layered Dockerfile. We welcome contributions to help us get this done. |
|
Happen to stumble upon https://buildpacks.io that help you build Docker images and this come with a basic BOM out of the box. No integration for GitHub yet but there is for GitLab |
|
I'm looking into using buildpacks to build an image. They seem to better handle dependencies in different layers. ProblemCurrently I'm facing the following problem: The tests require a lot of tools (conan, dep, composer, bundle, cargo, etc) to be present in build environment. Buildpacks do not see these out-of-the box. OptionsOption 1. Split testsAll test related to different tools should run as separate tests so we can tell buildpack what tools need to be installed for that particular testset. F.e. the tests involving Ruby eco systems, should be separated from the rest and can be performed in parallel with the correct environment installed for that use-case. Disadvantage
Advantage
Option 2. Re-create 1 build environment with specific versions of tools.Recreate one build environment with specific versions of the tools and use this for both testing / building ort and for the docker image. Advantage
Disadvantage
PlanI will make a PoC of Option 1 for one language. Maybe we then can evaluate these Pros and Cons. |
|
Also, in parallel we should generally aim for reducing the number of required external tools. I have a few ideas how to do that, but not the time to implement it 😞 |
@mkurzman recently proposed to me to make use of OSADL's pre-cleared base Docker images which are also published to Docker Hub. That way we at least wouldn't need to care about the base image's compliance anymore. |
|
Any advances on this topic ? |
Not really, as AFAIK no one is actively working on it / had an urge to move this forward so far. |
|
When it comes to generating an SBOM we could also use Tern https://github.com/tern-tools/tern Recent versions should be able to also detect licenses of typical distribution packages. The SBOM could be provided alongside the container image. As a further mitigation we could dogfood ORT and use it to evalute the container SBOM for certain criteria. |
|
Generating an SBOM using Tern for the current ORT container takes about 35 minutes on GitHub Actions. In the meantime I also found Syft which is another tool for creating SBOMs of containers. I might give that a try as well. For now I started generating images on a daily cron schedule: https://github.com/alliander-opensource/ort-container/pkgs/container/ort-container I used the Philips container in the past but that hasn't been updated in a while so I took a more radical approach. Let's see what comes of it. I'm still looking for suggestions on how to publish SBOMs alongside container images: tern-tools/tern#1183 |
|
Containers are now available at https://github.com/orgs/alliander-opensource/packages?repo_name=ort-container including a dedicated build for the PR #4746 |
|
Discussed at community at 25th of August:: License compliance as requirements including providing source code. From there we can improve it, like the desire to scan ORT with ORT, for which so far nobody succeeded. |
|
@nicorikken @heliocastro and @tsteenbe are working on creating a ORT "sources" image e.g. the complete corresponding source code to satisfy open source license obligations. If people are interested in joining this effort please reach out to me to be added to our sync meetings/slack channel on this topic. |
I've filed #5696 for that. |
|
Hey |
|
I guess publishing to Docker Hub is out of the question now, so if at all we should probably go straight to GitHub's Container Registry. |
I'd totally agree on pushing the Docker image to https://ghcr.io. We've realized this with a pretty straight-forward workflow: https://github.com/SovereignCloudStack/ort-docker/blob/main/.github/workflows/build_docker.yml |
|
Is there maybe any moves concerning a possible publication from the ORT community to ghcr.io ? |
|
So, we're not published only because @tsteenbe want us to have fully scanned and with BOM's |
|
Thanks @heliocastro for your reply ; I'm not blaming anyone, just asking :-D |
|
Docker images are now available in GHCR. |
This would save a casual user who is investigating the tool from having to set up a build environment and create the image themselves: users may not have such an environment available to them and are unlikely to spend the time setting it up (I'm one such user!).
The text was updated successfully, but these errors were encountered: