Please do not update major versions of Ruby dependencies by default in tagged Docker images

zaksoup · February 5, 2019, 12:37am

Hi CircleCI Community,

We use the ruby:2.4.6-node-browsers tagged docker images in our build. Recently, it appears that this docker image had its default version of rubygems updated to 3.x.

I’ve been looking and I can’t find an announcement that this breaking change (the --no-rdoc and --no-ri flags were removed in favor of --no-document) would be occurring. Seeing as RubyGems 3.0 was only released in December it doesn’t seem like this has been a long time coming.

It also breaks my expectation that without any code changes on my part a new run of my build might change because a tagged docker image was updated transparently to me.

I understand and value the effort the CircleCI team puts into maintaining these docker images, but it would be my expectation that transparent updates to them would not contain major version updates with breaking changes by default.

In the mean time we’ve updated our build scripts to support the new RubyGems syntax and everything is fine.

I understand that many people also want and need the new versions of various dependencies that are included in the image. I wonder what solution the community would prefer to solve the needs of people who need stable major versions, and also the needs of folks who need updates to these dependencies. In some cases I have built my own dockerfiles that install updates to browser dependencies but not everybody may be interested in owning their own images just for CI.

FelicianoTech · February 6, 2019, 9:05pm

This change was done upstream by the Docker Community on December 22nd: https://github.com/docker-library/ruby/commit/0ad99abb2b6d2df55d7b9b38440dacfe436fe0c3

That sucks. We’re working on preventing upstream changes like this to break builds.

zaksoup · February 6, 2019, 11:24pm

Thanks for pointing this out. I also appreciate your concern about not allowing upstream changes to break builds. In the meantime I think we’re going to begin maintaining our own ruby dockerfiles based on yours.

eddiewebb · February 8, 2019, 9:08pm

One alternative is to lock builds to explicit sha1 of the image. Unlike tags these hashes are immutable.

You can find the sha to use by looking at the last successful job’s "spin up environment " step. It’s near the end of the output and looks liek:

Digest: sha256:feba6387fb27073d35a7510ec46b29bd6b63d565ff5bcb15eb074438de6cb800
Status: Downloaded newer image for circleci/circleci-cli:0.1.2709
  using image circleci/circleci-cli@sha256:feba6387fb27073d35a7510ec46b29bd6b63d565ff5bcb15eb074438de6cb800

So in my example i would replace circleci/circleci-cli:0.1.2709 with circleci/circleci-cli@sha256:feba6387fb27073d35a7510ec46b29bd6b63d565ff5bcb15eb074438de6cb800

system · February 18, 2019, 9:08pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
RubyGems vulnerability March 2019 Build Environment ruby , docker , rubygems	3	1109	March 21, 2019
Ruby v2.4.2 and Ruby v2.3.5 CircleCI 2.0 Images Build Environment	1	938	June 18, 2018
CircleCI Ruby Docker Images Have New Default Distro Build Environment	1	1155	August 22, 2018
Docker image for ruby 2.5.4 and 2.6.2 Build Environment	7	3499	March 25, 2019
Ruby:2.3 image contains ruby 2.3.4 was expecting 2.3.0 Build Environment	3	2063	June 18, 2018

Please do not update major versions of Ruby dependencies by default in tagged Docker images

Related Topics