AutoPull Images in cacheFrom Should not be default behavior #6925
Labels
area/build
area/cache
area/s3c
build/docker
kind/design discussion
planning/H1-2022
priority/p1
High impact feature/bug.
Expected behavior
PR #1495 introduced pre-pulling behavior as the default when the cacheFrom keyword is used (with no option to disable this, I believe).
In my humble opinion, this is a mistake and honestly can introduce security risks.
Let me explain. If the first or second command of a Dockerfile is something like
apt-get update && apt-get dist-upgrade -y
, the user might think that they are actually getting the latest security updates periodically. Now, let's say the dockerfile only changes towards the end (changes default shell for example). In skaffold's current behavior, if I want to use cacheFrom to speed up builds, it downloads thelatest
image, which from a Dockerfile perspective only shows a change on the last line. it's possible that another security update will never be run again until the cache images are invalidated!The way we previously handled this with our docker builds in gitlab runners was something like this
In this way, we would invalidate the cache anytime it had cooled off for more than 12 hours. With the current implementation of skaffold, this isn't really possible.
The following file will always pull the cache even with tryImportMissing: false (which is likely an unrelated command, but confusing all the same)
A couple of possible solutions from (my) preferred to least preferred
docker pull scratch && docker tag scratch <myimage>:latest && docker push <myimage>:latest
) - This is getting pretty gross in my opinionInformation
The text was updated successfully, but these errors were encountered: