Please do not update major versions of Ruby dependencies by default in tagged Docker images

docker
rubygems

#1

Hi CircleCI Community,

We use the ruby:2.4.6-node-browsers tagged docker images in our build. Recently, it appears that this docker image had its default version of rubygems updated to 3.x.

I’ve been looking and I can’t find an announcement that this breaking change (the --no-rdoc and --no-ri flags were removed in favor of --no-document) would be occurring. Seeing as RubyGems 3.0 was only released in December it doesn’t seem like this has been a long time coming.

It also breaks my expectation that without any code changes on my part a new run of my build might change because a tagged docker image was updated transparently to me.

I understand and value the effort the CircleCI team puts into maintaining these docker images, but it would be my expectation that transparent updates to them would not contain major version updates with breaking changes by default.

In the mean time we’ve updated our build scripts to support the new RubyGems syntax and everything is fine.

I understand that many people also want and need the new versions of various dependencies that are included in the image. I wonder what solution the community would prefer to solve the needs of people who need stable major versions, and also the needs of folks who need updates to these dependencies. In some cases I have built my own dockerfiles that install updates to browser dependencies but not everybody may be interested in owning their own images just for CI.


#3

This change was done upstream by the Docker Community on December 22nd: https://github.com/docker-library/ruby/commit/0ad99abb2b6d2df55d7b9b38440dacfe436fe0c3

That sucks. We’re working on preventing upstream changes like this to break builds.


#4

Thanks for pointing this out. I also appreciate your concern about not allowing upstream changes to break builds. In the meantime I think we’re going to begin maintaining our own ruby dockerfiles based on yours.


#5

One alternative is to lock builds to explicit sha1 of the image. Unlike tags these hashes are immutable.

You can find the sha to use by looking at the last successful job’s "spin up environment " step. It’s near the end of the output and looks liek:

Digest: sha256:feba6387fb27073d35a7510ec46b29bd6b63d565ff5bcb15eb074438de6cb800
Status: Downloaded newer image for circleci/circleci-cli:0.1.2709
  using image circleci/circleci-cli@sha256:feba6387fb27073d35a7510ec46b29bd6b63d565ff5bcb15eb074438de6cb800

So in my example i would replace circleci/circleci-cli:0.1.2709 with circleci/circleci-cli@sha256:feba6387fb27073d35a7510ec46b29bd6b63d565ff5bcb15eb074438de6cb800


closed #6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.