[CI] Docker image updates #1799
Conversation
| uses: docker/build-push-action@v2 | ||
| with: | ||
| push: true | ||
| file: scripts/docker/Dockerfile.release |
There was a problem hiding this comment.
You can actually cache layers in docker builds with Buildx, which gives a significant performance boost here.
First you'd need to set up caching, with a separate step (prior build-push-action):
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-And then in your build-push-action itself you just add
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cacheproperties, and everything seems to work. (At least on that silly side-project of mine.)
scripts/docker/Dockerfile.release
Outdated
| @@ -0,0 +1,46 @@ | |||
| FROM debian:buster-slim | |||
There was a problem hiding this comment.
it's better to use "Dockerfile" as an extension: release.Dockerfile. Other way many linters do not recognize it.
scripts/docker/Dockerfile.release
Outdated
| io.parity.image.vendor="Parity Technologies" \ | ||
| io.parity.image.title="parity/polkadot" \ | ||
| io.parity.image.description="polkadot: a platform for web3" \ | ||
| io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/docker/Dockerfile" \ |
There was a problem hiding this comment.
| io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/docker/Dockerfile" \ | |
| io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/docker/release.Dockerfile" \ |
|
|
||
| # ===== SECOND STAGE ====== | ||
|
|
||
| FROM phusion/baseimage:0.11 | ||
| LABEL maintainer "chevdor@gmail.com" | ||
| FROM debian:buster-slim | ||
| LABEL description="This is the 2nd stage: a very small image where we copy the Polkadot binary." |
There was a problem hiding this comment.
could use the same Label as in release.Dockerfile below
There was a problem hiding this comment.
The intention of this Dockerfile is to be used by users - i.e., for dev purposes etc., so it doesn't make sense to have vendor info and references to variables (like $VCS_REF) that won't be present
There was a problem hiding this comment.
OCI recommends filling labels as a best practice. At least it can be handy to know where is the code of this Dockerfile, this could be in label.
scripts/docker/Dockerfile.release
Outdated
| VOLUME ["/polkadot"] | ||
|
|
||
| ENTRYPOINT ["/usr/bin/polkadot"] | ||
|
|
There was a problem hiding this comment.
also I have some questions on diff scripts/docker/Dockerfile scripts/docker/Dockerfile.release
- why different base?
- why different endpoint for the binary?
- why did you omit creating a user?
There was a problem hiding this comment.
why different base?
As per our README.md, I only claim our packages support the latest release versions of debian + ubuntu. It won't work with debian stretch - this is actually because the image used to build our release bins is base-ci-linux, which is based on buster also.
why different endpoint for the binary?
This dockerfile installs polkadot from our apt repository, so it gets placed in /usr/bin/ rather than /usr/local/bin.
why did you omit creating a user?
The polkadot user is created as part of installing the debian package.
There was a problem hiding this comment.
which is based on buster also
oh, then we should change the base for the other image.
There was a problem hiding this comment.
The polkadot user is created as part of installing the debian package.
It's worth mentioning in the comment there.
scripts/docker/Dockerfile.release
Outdated
| ca-certificates \ | ||
| curl \ | ||
| gnupg && \ | ||
| gpg --recv-keys --keyserver hkps://keys.mailvelope.com 9D4B2B6EB8F97156D19669A9FF0812D491B96798 && \ |
There was a problem hiding this comment.
indentation here and below
The main advantage is that we trigger it when the release is published rather than tagged. Since we perform a bunch of tests after the tag is pushed but before the release is published, it makes more sense to only push our docker images once the release is actually published. |
This PR makes a number of changes:
scripts/docker/Dockerfile.releasedoc/docker.mdto specify using our official docker images, rather than ones based on phusion. As per our Docker images maintenance policy: Use only official (in the _ namespace) third-party DockerHub images are allowed, both in direct use and inherited with FROM.docker/Dockerfileto be based onparitytech/ci-linux:productionas per the aforementioned Docker images maintenance policy.