1468490 - Update Docker base image from Debian 8 (Jessie) to 9 (Stretch)

Status: RESOLVED FIXED

(developer.mozilla.org :: Security, enhancement, P1)

Description

[John Whitlock [:jwhitlock]]

What feature should be changed? Please provide the URL of the feature if possible.
==================================================================================
The official Docker Python image uses multiple tags for the same image, to allow users to choose specific or generic images. The kuma_base image uses python:2.7-slim, which was the same as 2.7-slim-jessie (Debian 8) until June 2018, when it switched to 2.7-slim-stretch and Debian 9. 

We switched to 2.7-slim-jessie, because the 2.7-slim-stretch has different dependencies (no gpg for downloading node.js signing keys, different name for MySQL libraries) which required more changes then we wanted to make during the Django 1.11 update. We continue to use Debian 8.

What problems would this solve?
===============================
Debian 8 will cease to get security updates after June 17, 2018. Debian 9 is the current stable release, supported until 2020.

Who would use this?
===================
Developers and system maintainers

What would users see?
=====================
Kuma base images would continue to get security updates. Quay.io reports known, fixable errors:

https://quay.io/repository/mozmar/kuma_base?tab=tags



What would users do? What would happen as a result?
===================================================
Developers would use support Debian base images in development and deployment environments.

Is there anything else we should know?
======================================
The switch to specify Jessie was in:

https://github.com/mozilla/kuma/pull/4830/commits/c7ec8660e171f8cedb682c835315bc920dfbc963

The switch in the upstream tags was at:

https://github.com/docker-library/official-images/pull/4385/files#diff-051bb6df61b6c6e7f8c1868985011b07R43

Comment 1

[[github robot]]

Commits pushed to master at https://github.com/mozilla/kuma

https://github.com/mozilla/kuma/commit/f132b25bd444b8c2464ee9f43573d5890df89871
bug 1468490: Update to Debian 9 (stretch) base

Update the Python base image from Debian 8 (jessie) to 9 (stretch),
which is the current LTS release, along with some additional cleanup:

Move the ENV declarations to the top, to reduce the number of
intermediate images.

Move all the package installation to the same section, to avoid
refreshing the apt-get cache twice. Include the gpg package and
dependencies, which is no longer in the default image. Update the names
of the MySQL packages.

Update the node.js installation code to bump the minor version and use
the current code for importing GPG signing keys. Drop the unused yarn
install. The 8.x node.js update will come later.

https://github.com/mozilla/kuma/commit/5ed72f2d430075ee7140dc274cf8c11acfdb6db8
Merge pull request #4850 from jwhitlock/debian-image-1468490

bug 1468490: Update to Debian 9 (stretch) base image

Comment 2

[Anthony Maton [:anthony]]

Attachment: Error log when attempting to build the image

I have issues building the image locally after this change, I attached the stacktrace I get from docker.

The command I run is `make build-base VERSION=latest`.

Comment 3

[Anthony Maton [:anthony]]

The solution for me was to edit the Dockerfile and `-stretch` at the end of the image name (FROM python:2.7-slim-stretch)

Comment 4

[John Whitlock [:jwhitlock]]

This is building correctly in Jenkins and TravisCI. After a successful production push, I plan to close the bug.

Anthony, my best guess is that you have an out-of-date base image. Try pulling the latest python image first:

docker pull python:2.7-slim
make build-base VERSION=latest

Comment 5

[Anthony Maton [:anthony]]

Works for me that way, probably some kind of caching somewhere.

Comment 6

[John Whitlock [:jwhitlock]]

Deployed to staging and production.