Closed Bug 1273332 Opened 8 years ago Closed 8 years ago

Generate a docker-image-shasum256.txt file in CI

Categories

(Firefox :: Normandy Server, defect)

Product:
Firefox
Component:
Normandy Server
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mythmon, Unassigned)

References

(Blocks 1 open bug)

Details

"CI builds should generate a docker-image-shasum256.txt (example) file containing only the sha256 hash for the docker image."

https://github.com/mozilla-services/Dockerflow#optional-recommendations

This will help us trace the path from developer code (in signed git commits) to deployed services (which deploy from Docker images that have certain sha256 sums).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
This turned out to be misguided. It's been removed from the Dockerflow spec.
I still see this recommendation in the link provided in comment 0. Is there somewhere else I should be looking? What was misguided about this? Is there an alternate suggestion for assuring that the Docker images we deploy are the ones we built?
Flags: needinfo?(bwong)
My bad. I just merged: https://github.com/mozilla-services/Dockerflow/pull/24
Flags: needinfo?(bwong)
Is there an alternate suggestion for assuring that the Docker images we deploy are the ones we intended?
Flags: needinfo?(bwong)
AFAIK, the only way to verify is to compare the digest hash from a `docker pull` to the one created by the `docker push`. I wrote a script that we use in cloudops to verify dockerflow compliant images before deploying them. 

I copy/pasted it here: https://gist.github.com/mostlygeek/ced06ba017cb4834a4484123ee065574
Flags: needinfo?(bwong)
Product: Shield → Firefox
You need to log in before you can comment on or make changes to this bug.