I support improving the process of updating the CI docker images. A couple of thoughts here: - I agree the Jenkinsfile security is a little bit arbitrary. I think maybe there could be an aspect of protecting the Jenkins master (i.e. I think you can get references to internal shared Java objects from the Jenkinsfile and mess with them). I agree it doesn't stop folks from running arbitrary commands. - Generally speaking we don't tend to reuse layers in Docker containers, so pulling the base image may make the docker bulid shorter, but I don't think we should expect the typical docker build to result in a small incremental change. Rather, these images are quite large, and I'm not sure we should be stashing them via Jenkins. - A related problem occurs when we pull images from ephemeral containers--previously builds started almost immediately, but now it's much more likely we'll need to pull a docker image. I wonder if we might consider a [pull-through cache](https://docs.docker.com/registry/recipes/mirror/) or some other type of local registry as a way to both pull images and also store builds that originated in the CI. - From a security perspective, I think ephemeral machines help; I'd also add pre-declaring network dependencies and firewalling the executors as possible remedies.
--- [Visit Topic](https://discuss.tvm.apache.org/t/rfc-rebuild-docker-images-per-commit/12047/7) to respond. You are receiving this because you enabled mailing list mode. To unsubscribe from these emails, [click here](https://discuss.tvm.apache.org/email/unsubscribe/06f60f2e79b4af09a2c23dc691a9a4404a392d66bab0c16ad7de69323a40f0eb).
