-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apko_config
-> apko_build
loses information about the original request
#208
Comments
Looking at the newer libcurl, we see:
Compare to the previous version:
We have this new requirement of
Unfortunately, both new and old libcurl express the dependency in the same way:
So anything that provides I'm not sure if the dependency information in APKs is rich enough to express this kind of thing without human intervention... but maybe we could do more sophisticated things in our SCA? |
Our normal usage of the provider, as codified in terraform-publisher-apko, passes an unresolved config to
apko_config
, which resolves the package versions and emits the resolved config as an attribute. We then pass that resolved config toapko_build
to build the image. We do this mainly to isolate resolution from building, and so we can attest and attach the resolved config to the built image.However, this means that
apko_build
produces an image with an/etc/apk/world
with fully resolved packages, locking them in place. As far asapko_build
is concerned, it was asked to build an image with exactly those packages at those versions, so it did that. The original request -- which we should write to the resulting image's/etc/apk/world
-- was lost in the resolving process.The
apko
CLI by itself doesn't exhibit this behavior:An image produced by
apko_config -> apko_build
does:This matters because the original user's request was not "exactly all these packages at these versions" -- it was "whatever it takes to install
wolfi-base
please". That unresolved request is what/etc/apk/world
communicates.This is practically a problem when users run
apk add
in an image built in this way, with a fully locked APK world. Take a months-oldwolfi-base
image and try toapk add curl
Note the locked world, with openssl libraries locked at 3.1.4, the latest available at the time the image was built.
Now let's add
curl
:apk add
succeeded, but it did the wrong thing, because thecurl
I just installed needs a newer openssl than the one we locked into the image.This could have been avoided if the world hadn't been locked to the set of packages that was appropriate at the time the image was built, but instead reflected the original request.
Unpinning the world and
apk upgrade
ing seems to fix the glitch:🎉
We also could have made the world just
wolfi-base
andcurl
and that would work too -- all the packages in the world come from the original request for thewolfi-base
package.Back to tf-apko:
This locking behavior is not exhibited by
apko
itself, as demonstrated above withapko publish
. It's only an artifact of how we resolve-then-build using tf-apko.If
apko_config
's output retained some information about its original request that it could feed toapko_build
to populate its unlocked world, we could correctly populate the unlocked world. It may even make sense to attest both the locked package-versions, and the original requested packages (after all TF variables/provider overrides were taken into account), since this could be useful information, and we lose it today.Another alternative would be to have
apko_build
produce a locked resolved config output and take the unresolved config as an input.Instead of
...we'd have:
(We already attest after building, since attesting depends on
check-sbom
)The text was updated successfully, but these errors were encountered: