Keeping Up with Docker Official Images

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Docker Registry Golang container-registry Kubernetes

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • docker-lock

    Automatically manage image digests in Dockerfiles, docker-compose files, and Kubernetes manifests by tracking them in a separate Lockfile

    • Shameless Plug: I wrote a cli-plugin for docker, docker-lock, to solve the mutable tag problem without having to manually specify hashes - https://github.com/safe-waters/docker-lock

    It creates a Lockfile (think package-lock.json) that tracks the image digests (sha256 hashes) of your base images, so you will always know exactly which images you are using even if you only specify tags. This way, you can know if a base image has changed, yet still receive important security updates that you would not receive if you hardcode the digest. It supports any registry, so is useful even if you are not using Dockerhub. It also works with Dockerfiles, docker-compose files, and Kubernetes manifests.

    I hope anyone dealing with this issue finds it helpful :)

  • image-spec

    OCI Image Format

    • Incidentally, I've proposed official image annotations[0] that would let an image tell you what its base image is, both by immutable digest and by mutable tag, so you could detect this drift automatically.

    Automated tooling could look at these annotations and notify maintainers, or proactively rebuild/rebase when base images change[1].

    By having this information on the images themselves, you don't have to deal with as much source repo churn, though you might want that too.

    If your app layers have a strong enough contract with your base layers (buildpacks is really good for this!), then you can rebase[2] instead of rebuilding from source.

    [0] OCI spec proposal: https://github.com/opencontainers/image-spec/pull/822

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • go-containerregistry

    Go library and CLIs for working with container registries

    • [1] Proof of concept in the `crane` tool: https://github.com/google/go-containerregistry/pull/960

  • Diun

    Receive notifications when an image is updated on a Docker registry

    • I keep track of upstream image changes using https://github.com/crazy-max/diun

    ... but I also separately ensure all software installed in a docker image is pinned to a version, and have a process I run daily to check whether the upstream packages versions have changed, in which case I rebuild the images which then get the updated (possibly security) version.

    It's fiddly, and a lot of bash and perl. I'd welcome a similarly trust-able tooling from a reputable source.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Check all containers for latest version?

    3 projects | /r/selfhosted | 11 Sep 2022

  • Best way to keep everything up to date?

    3 projects | /r/selfhosted | 22 Jun 2022

  • Ask HN: Are there any open source forks of nomad smd consul?

    9 projects | news.ycombinator.com | 2 May 2024

  • Breakfast: A Delicious Way to Learn Kubernetes Deployments and GitOps

    2 projects | news.ycombinator.com | 15 Dec 2023

  • Seeking Feedback: How To Improve „health” (a Health Check Library)

    1 project | /r/golang | 19 Oct 2023