Docker image update policy #342
Comments
|
Neo4j is a supported, official docker image. As such, the people at docker automatically rebuild our images when there are changes and updates to our base images. We maintain a list of supported Neo4j versions and their image tags for the people at docker: The parts of this update process we control are:
Updating the Neo4j image contentsAll the Neo4j image source code can be found here: It is extremely rare that we change the contents of an image after publishing, and even then it will only be a change to the docker entrypoint scripts around Neo4j and never any part of the database itself. Which Neo4j versions should get updatesCurrently all supported major, minor and patch versions of Neo4j will automatically receive security updates from docker. When Neo4j 5.0.0 is released, we are only going to list the latest patch version of a major.minor version as supported in docker. This will apply retroactively to all existing Neo4j releases. Neo4j versions not listed at https://github.com/docker-library/official-images/blob/master/library/neo4j are still available for use, they just do not get the updates to the base image. |
|
For your question about getting notifications about when an image is updated, I don't know. Those updates are done by docker, not Neo4j, you would have to ask docker support about how to monitor a particular tag for changes. |
Yes I suppose that is true. Although, I would argue that this is true for all docker tags. Docker tags are mutable by design. Unless you manage the image yourself (or specify which image you want by digest) you do risk unexpected changes. For |
Thanks for the pointer -- docker-library/official-images#1864, in particular, in which I could read the rationale behind having all the point versions to be rebuilt.
I am not sure what to think about this, honestly. I, as a end user, should not have to worry about who published the image into the docker registry: was it the engineering team? was it a bot/automatic process? Don't care. If docker.hub is an official distribution channel for neo4j, then you are ultimately responsible for everything happening on it (in a way it becomes part of your product), and if already published versions are expected to be rebuilt, even after months from their initial publication, I somehow think this should be clearly stated somewhere.
If you think about it, it's all about expectations and what people can do vs should do:
Also, talking about digests: are the digests for any image that gets re-built, kept around, forever? Or will those disappear the moment the tag is re-built?
This works well in theory; in practice, these undocumented parts are part of the image anyway, and users will inevitably rely on them, directly or indirectly (e.g. without realizing it, we were relying on the fact that Neo4j was running on Debian 10, and when it switched to 11, it all stopped to work). So, to recap:
Once we agree on / confirm the above, I think there won't be anything else left discussing. I will be honest: I would rather have neo4j (and other services) not to to automatically re-build old point versions, but it's just my personal opinion of course, and I don't expect you do anything with it. From where I stand, at least now I know what to expect, and can act accordingly. Thanks, |
Hey,
My team is using a fairly old version of Neo4j (4.2.8 to be precise) and all of us got a bit surprised when we realized that the image that we had been using for almost a year, had recently been updated:
Even more surprising was that the newer version (or one that got "updated" sometime in between last summer and 13 days ago) was now shipping Debian 11, which unfortunately requires the host environment to run a more recent version of docker (see: #318). Note: the 4.2.8 version that we have, cached inside our CI/CD environment, runs Debian 10, and we never run into any permissions issue with it.
Now, we are working things out internally to try and switch to a newer version of docker on the host, and to a newer version of neo4j; however, I also wanted to understand more of how are the Neo4j docker images getting updated. From where I stand it seems as if you were treating all the published tags as rolling versions, i.e. like
latest, where pulling it today or in one month might give different results; however, I question if this is what the different engineering teams are actually expecting, especially given that quite a big change (like the upgrade of the underlying OS) could be snuck into a tag rewrite and potentially set your whole CI/CD pipeline on fire.I know we can refer to images by their digest, and that's what we will ultimately end up doing if we realized we could not trust a specific version, like
4.2.8, to stay immutable; however, if version 4.2.8 today is different from version 4.2.8 from one week ago, how could I then (1) be notified about the update, and (2) audit the new version to confirm it's compatible with our deployment environment?Thanks,
M.
The text was updated successfully, but these errors were encountered: