Staunch voice no to :most contemporary

2022-Mar-02 • by David Norton

Don’t specify most contemporary for your Dockerfile! Or wherever else! Attain you ought to
live in a van down by the river?

FROM alpine:most contemporary

It breaks one in every of the core requirements of continuous supply: reproducible, idempotent builds. This might possibly possibly perchance perchance motive considerations
at handiest when looking out for to be pleased your project, and at worst in a manufacturing failure.

Per chance worse than specifying most contemporary in a Dockerfile, we unquestionably be pleased no longer ought to specify most contemporary in a Kubernetes
Pod manifest. No longer no longer up to ought to you expend the most contemporary for your
Dockerfile to invent a versioned portray, you are going to roll reduction to your old versioned portray if one thing happened.

If your deployment manifest specifies a most contemporary portray, then it might possibly perchance in all probability perchance replace any time a brand new pod desired to roll out, and you might possibly perchance be
on the mercy of the maintainers to no longer destroy compatibility. This might possibly possibly perchance perchance happen on a weekend or the heart of the evening,
when a node goes execrable! 

# BAD:
portray: "nginx:most contemporary"

# GOOD:
portray: "nginx:1.21.6"

(This brings up a entertaining aspect level, in that Docker Hub and most totally different registries enable mutable tags by default.
So nginx:1.21.6 is doubtlessly no longer the identical portray on the present time as it became yesterday. No doubt, you doubtlessly desire a mechanism to
assign into price brand immutability: e.g., your be pleased registry mirror, or relating to photographs by SHA).

Most recent dependencies exist in most ecosystems

Which you might possibly possibly grasp unversioned dependencies for your installation script: 

# BAD:
pip set up awscli

# GOOD:
pip set up awscli==1.22.60

Or for your equipment.json: 

# BAD ought to you be pleased no longer grasp a lock file
"dependencies": {
    "baz": ">1.0.2"
}

Or your Terraform provider: 

# BAD ought to you be pleased no longer grasp a lock file
terraform {
  required_providers {
    mycloud={
      source ="hashicorp/aws"
      version=">=1.0"
    }
  }
}

Or your Terraform module: 

# BAD:
module "gitlabrunner" {
  source="npalm/gitlab-runner/aws"
}
# GOOD:
module "gitlabrunner" {
  source ="npalm/gitlab-runner/aws"
  version="1.2.3"
}

There are any totally different selection of how this might possibly well play out. Everytime you pull in external code or binaries, build in tips how that
dependency is versioned and how your be pleased direction of pulls it in.

Lock recordsdata

Fortunately, many frameworks present a mechanism to enable easy updates, with source-controlled versions and hashsums, by
device of lock recordsdata. These lock recordsdata are intended to be generated with a divulge notify, and dedicated to source
withhold an eye fixed on. They’re then obsolete in CI to drag the categorical the identical dependencies at be pleased time. As an instance,
terraform init -give a boost to will pull in essentially the most contemporary dependencies allowed by the version constraints and replace the
lock file, and later terraform init will pull in these accurate identical versions.

I whine this supplies the handiest of each and each worlds — essentially the most contemporary and finest with extra permissive provider version
constraints, with the predictability of mounted dependency versions.

Uncover serve of these wherever you might possibly possibly perchance, but take into accout two things:

  1. Commit the lock recordsdata to source withhold an eye fixed on!
  2. If it be crucial to preserve serve of a brand new characteristic, worm fix, or safety fix, replace the provider version constraint,
    dart terraform init -give a boost to, and commit the up in the past lock file.
  3. Attain no longer replace the lock recordsdata at some stage in CI (e.g. dart terraform init, no longer terraform init -give a boost to)

Examples of lock recordsdata:

Pulling dependencies at runtime

As grand as you might possibly possibly perchance, cease a long way flung from pulling dependencies at runtime. This might possibly possibly perchance perchance gaze cherish an EC2 individual-records script that installs
Docker, or an npm set up running at startup on a virtual machine, or others. Bake your
dependencies into your deployable artifact, and version your artifacts, so as that you mainly grasp a deployable procedure
and might possibly well perchance discover down considerations on the beautiful time.

One formula to prevent this is with community policies for your compute ambiance that prevent access to code distribution
mechanisms (or you are going to even lock down all outbound access except for for allowed connections).

Scanning for vulnerabilities

GitHub and GitLab each and each grasp components that will scan your repositories and suggest updates in accordance with safety
vulnerability databases. Which you might possibly possibly additionally preserve serve of totally different industrial companies corresponding to Twistlock, or originate source
alternatives corresponding to Grype. These can integrate into your be pleased direction of, and/or be dart on a agenda to salvage new experiences
as they happen.

Updating dependencies

Possibilities are you’ll perchance level-headed replace your dependencies, alternatively it ought to be with a discrete decide to source withhold an eye fixed on so as that you might possibly possibly perchance discover
the changes, uncover a versioned artifact, and be ready to salvage any considerations sooner than they change into considerations in manufacturing.

Conclusion

This submit became firstly titled :most contemporary actually kills pups. My editor/accomplice belief that became a microscopic coarse.
I took her advice, but added this display veil indicating my personal feelings on the topic – you might possibly possibly perchance blueprint your be pleased
conclusions.