Search code examples
dockerbuildimmutabilitydigest

Docker digest supposed to be immutable, but getting different build steps

Back in January I built a version of my app using 'FROM node:10.12.0'.

The Semaphore build process logs show this:

d8268e1e433b: Pull complete 
Digest: sha256:00a7fb3df8e94ed24f42c2920f132f06e92ea5ed69b1c5e53c4bb3d20e85a3e2
Status: Downloaded newer image for node:10.12.0
 ---> a2b9536415c2
Step 2/11 : RUN apt-get update
 ---> Running in f9bd6b252e7f
Get:1 http://security.debian.org jessie/updates InRelease [44.9 kB]
Ign http://deb.debian.org jessie InRelease
Get:2 http://deb.debian.org jessie-updates InRelease [145 kB]
Get:3 http://security.debian.org jessie/updates/main amd64 Packages [790 kB]
Get:4 http://deb.debian.org jessie Release.gpg [2420 B]
Get:5 http://deb.debian.org jessie-updates/main amd64 Packages [23.0 kB]
Get:6 http://deb.debian.org jessie Release [148 kB]
Get:7 http://deb.debian.org jessie/main amd64 Packages [9098 kB]
Fetched 10.3 MB in 2s (3476 kB/s)
Reading package lists...

Just now I attempted to put up a new build. I've not touched these build files or built since January. I thought everything should work. But I got this instead:

d8268e1e433b: Pull complete 
Digest: sha256:00a7fb3df8e94ed24f42c2920f132f06e92ea5ed69b1c5e53c4bb3d20e85a3e2
Status: Downloaded newer image for node:10.12.0
 ---> a2b9536415c2
Step 2/11 : RUN apt-get update
 ---> Running in e903db31c4a6
Get:1 http://security.debian.org jessie/updates InRelease [44.9 kB]
Ign http://deb.debian.org jessie InRelease
Get:2 http://deb.debian.org jessie-updates InRelease [7340 B]
Get:3 http://deb.debian.org jessie Release.gpg [2420 B]
Get:4 http://deb.debian.org jessie Release [148 kB]
Get:5 http://security.debian.org jessie/updates/main amd64 Packages [825 kB]
Get:6 http://deb.debian.org jessie/main amd64 Packages [9098 kB]
Fetched 10.1 MB in 4s (2509 kB/s)
W: Failed to fetch http://deb.debian.org/debian/dists/jessie-updates/InRelease  Unable to find expected entry 'main/binary-amd64/Packages' in Release file (Wrong sources.list entry or malformed file)

E: Some index files failed to download. They have been ignored, or old ones used instead.
The command '/bin/sh -c apt-get update' returned a non-zero code: 100

So I found out about Docker Digests. Should be able to have purely immutable builds using Digests. But... the digests of these two builds are the same!

Am I correct in thinking using a digest in the 'FROM' statement would not have helped me?

How could these two different builds have the same digest?

Solution

  • You are correct that the image you are building on top of is the same as before because the digests match. The problem is that doesn't mean the subsequent instructions in your Dockerfile will run the exact same way each time. In this case, when you call apt-get update you are reaching out to remote apt repos. I don't know a ton about that process specifically but basically it appears there was some update done that broke compatibility with this image. Any time you have remote dependencies like that (apt-get calls, downloading files, etc) they may change or become unavailable, causing your build to fail even if the underlying image is the same.

    For example, if I have this Dockerfile 

        FROM ubuntu:latest
    RUN curl http://some.url --output some.file

    Every time I run the build, unless I have the layer cached, http://some.url needs to be available or the build will fail even if the underlying ubuntu image is the same.