Last week at the Forum we had a couple of discussions about collaboration between the various teams building or consuming container images. One topic that came up was deciding how to publish images from the various teams to docker hub or other container registries. While the technical bits seem easy enough to work out, there is still the question of precedence and whether it's a good idea to do so at all.
In the past, we have refrained from publishing binary packages in other formats such as debs and RPMs. (We did publish debs way back in the beginning, for testing IIRC, but switched away from them to sdists to be more inclusive.) Since then, we have said it is the responsibility of downstream consumers to build production packages, either as distributors or as a deployer that is rolling their own. We do package sdists for python libraries, push some JavaScript to the NPM registries, and have tarballs of those and a bunch of other artifacts that we build out of our release tools. But none of those is declared as "production ready," and so the community is not sending the signal that we are responsible for maintaining them in the context of production deployments, beyond continuing to produce new releases when there are bugs. Container images introduce some extra complexity, over the basic operating system style packages mentioned above. Due to the way they are constructed, they are likely to include content we don't produce ourselves (either in the form of base layers or via including build tools or other things needed when assembling the full image). That extra content means there would need to be more tracking of upstream issues (bugs, CVEs, etc.) to ensure the images are updated as needed. Given our security and stable team resources, I'm not entirely comfortable with us publishing these images, and giving the appearance that the community *as a whole* is committing to supporting them. I don't have any objection to someone from the community publishing them, as long as it is made clear who the actual owner is. I'm not sure how easy it is to make that distinction if we publish them through infra jobs, so that may mean some outside process. I also don't think there would be any problem in building images on our infrastructure for our own gate jobs, as long as they are just for testing and we don't push those to any other registries. I'm raising the issue here to get some more input into how to proceed. Do other people think this concern is overblown? Can we mitigate the risk by communicating through metadata for the images? Should we stick to publishing build instructions (Dockerfiles, or whatever) instead of binary images? Are there other options I haven't mentioned? Doug __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
