Skip to content

docs: add Docker image lifecycle concept document#1

Open
DeepDiver1975 wants to merge 3 commits into
masterfrom
docs/image-lifecycle
Open

docs: add Docker image lifecycle concept document#1
DeepDiver1975 wants to merge 3 commits into
masterfrom
docs/image-lifecycle

Conversation

@DeepDiver1975

Copy link
Copy Markdown
Contributor

What

Adds docs/IMAGE-LIFECYCLE.md — an authoritative, security-focused concept document describing how the official ownCloud Docker images (owncloud/server, owncloud/ocis, and the supporting base/php/ubuntu/web images) are built, tagged, scanned, kept up to date, and published.

Also adds a short repo README.md pointing to it.

Why

The security team asked for a clear write-up of how the final images are kept up to date with dependency and CVE fixes. That knowledge was previously scattered across per-repo READMEs, CI workflow YAML, .renovaterc.json and .trivyignore files across six separate repositories. This document consolidates it in one org-level place.

Highlights

  • Section 5 (Keeping images up to date) and Section 7 (Security control summary table) are written for the security audience: digest pinning + Renovate, build-time apt/apk upgrade, weekly + daily scheduled rebuilds, Trivy gating (exit-code: 1, ignore-unfixed), the .trivyignore exception process, and Dependabot/SHA-pinned Actions.
  • Content was verified against the actual reusable workflows in the ubuntu repo, the server/ocis main.yml/rolling.yml, the Dockerfiles, and the Renovate config — not from memory.

Review notes

  • Please review Section 5 and the Section 7 summary table for completeness/accuracy.
  • The doc describes concept/process; exact versions and digests remain sourced from the individual repos.

🤖 Generated with Claude Code

Document how the ownCloud server and ocis images are built, tagged,
scanned, kept up to date and published, with emphasis on the
dependency-update / vulnerability-management mechanism requested by
the security team.

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975

Copy link
Copy Markdown
Contributor Author

Review: Docker image lifecycle concept document

Documentation-only PR. Since the doc's stated value is fidelity to the real workflows ("verified against the actual reusable workflows… not from memory"), I fact-checked its claims against the six sibling repos (ubuntu, server, base, php, ocis, web). The large majority (workflow names, registry:3/port 5000, Trivy flags, native-build matrix runners, crons, digest pinning, smoke tests, .trivyignore contents, build args) match the source exactly. A few claims are wrong — two touch security controls.

Findings

1. §5a/§5c — Renovate is credited with Dependabot's schedule. The doc says Renovate opens PRs "weekly (Sun 22:00 UTC, ≤5 open PRs)". Neither .renovaterc.json, the owncloud-ops/renovate-presets:docker preset, nor the transitive base preset defines a global Renovate schedule or open-PR limit (the schedule:weekly there is scoped only to the devDeps-automerge rule, no time-of-day). The exact "Sunday 22:00 UTC / limit 5" values are the Dependabot config (.github/dependabot.yml). A security reader auditing update cadence would draw the wrong conclusion about when digest bumps arrive.

2. §5b + §7 table ("OS-package CVEs" row) — the web image does not run apk upgrade. The doc claims "Alpine images (oCIS runtime, web) run apk upgrade --no-cache" and that OS packages are refreshed on every build in each Dockerfile.multiarch. In web/Dockerfile.multiarch the only apk call is apk add --no-cache curl in the downloader stage; the final nginx:alpine stage runs no apk command. This is a false security-control claim — it tells the security team web gets OS-package patches on every rebuild when it doesn't. (oCIS runtime does run apk upgrade --no-cache.)

3. §6 — base-image smoke-test example cites a check that exists nowhere. The doc gives "a command check (e.g. php --version, nginx -t)". No image runs nginx -t (these images use apache2, not nginx), and the actual base check is php -r "echo 'OK'", not php --version (that's the php image's check). Low severity (it's an "e.g."), but nginx -t is fictional.

4. §3 tagging table — RC builds are described as "exact tag only" but also get an immutable date tag. build-date-tag: true is set at the matrix top level for all entries, so 11.0.0-rc1 / 8.1.0-rc.2 also receive a <version>-<YYYYMMDD> tag. The intent (no floating latest/major tags for RCs) is correct; only the "exact tag only" absolute is imprecise. Lowest severity.

Nothing else surfaced — the remaining ~30 verifiable claims matched the source down to literal cron strings, port numbers, jq field names, and CVE justification comments.

🤖 Generated with Claude Code

Fixes four fact-check findings on the image lifecycle doc:

- §5a/§5c/§7: attribute the 'Sun 22:00 UTC, <=5 PRs' cadence to
  Dependabot (github-actions), not Renovate. The Renovate docker preset
  has no fixed schedule/limit; it auto-merges allowlisted digest updates
  on green CI. Added a separate Dependabot row to the schedule table.
- §5b/§7: correct the OS-package upgrade claim. Only owncloud/ubuntu runs
  apt-get upgrade (cascading to php/base/server); the oCIS runtime runs
  apk upgrade; web has no apk upgrade and relies on nginx:alpine digest
  bumps.
- §6: fix smoke-test command examples per image (ubuntu os-release,
  php --version, base php -r echo OK, web nginx -t).
- §3: RC builds also receive an immutable <version>-<YYYYMMDD> tag; only
  floating latest/major/minor tags are omitted.

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975

Copy link
Copy Markdown
Contributor Author

Thanks — I verified all four findings against the source and pushed corrections in 4daf757. Every finding was valid; two of them (1 and 2) turned out to understate the automation, so the fixes also improve accuracy rather than just removing claims.

1. Renovate vs Dependabot cadence (§5a/§5c/§7) — Confirmed. The Sun 22:00 UTC / ≤5 values are server/.github/workflows/../dependabot.yml (github-actions ecosystem). I fetched the actual owncloud-ops/renovate-presets docker.json+base.json: the docker preset has no global schedule or open-PR cap — instead it auto-merges digest/pin updates for an allowlist (owncloud/*, ubuntu, alpine, golang, …) on green CI. Rewrote §5a to say that, split the schedule table into separate Renovate (digests) and Dependabot (Actions) rows, and updated the §7 cadence cell.

2. apk upgrade in web (§5b/§7) — Confirmed, and broader than flagged: only owncloud/ubuntu runs apt-get upgrade (php/base do not — they inherit the upgraded, digest-pinned ubuntu layer); the oCIS runtime runs apk upgrade; web's final nginx:alpine stage runs no apk at all. §5b now documents the per-image mechanism and the §7 row reflects it.

3. base smoke-test example (§6) — Fixed. Now lists each check accurately: ubuntu/etc/os-release VERSION_ID, phpphp --version, basephp -r \"echo 'OK';\", webnginx -t. One clarification: nginx -t isn't fictional — it's the real web check (web/.github/workflows/main.yml:30), web being nginx-based; the mistake was grouping it under "base images."

4. RC date tags (§3) — Confirmed. For ocis the date tag rides in docker-extra-tags at matrix level (main.yml:41) and for server via top-level build-date-tag: true, so both RCs get <version>-<YYYYMMDD>. Table now says RCs get version + date tag but no floating latest/major/minor tags.

🤖 Generated with Claude Code

@DeepDiver1975

Copy link
Copy Markdown
Contributor Author

Re-review after revision — all four findings resolved ✅

Re-checked the revised doc against the real repos. The author addressed every previous finding, and I verified the new, more-specific claims added in the process:

  • §5a / §7 (Renovate). Corrected. Confirmed against owncloud-ops/renovate-presets docker.json: automerge: true scoped to ["pin","digest","pinDigest"], matchPackagePatterns allowlist really does include owncloud/*, ubuntu, alpine, golang (and more), and there is no schedule/prConcurrentLimit/prHourlyLimit for Docker updates. Dependabot's "weekly, Sun 22:00 UTC, ≤5 open PRs" is now correctly attributed to Dependabot in §5c/§5e. ✅
  • §5b / §7 (web apk upgrade). Corrected. Verified web/Dockerfile.multiarch final stage is digest-pinned nginx:alpine with no apk upgrade; only owncloud/ubuntu runs apt-get update && apt-get upgrade (php/base/server inherit it and run no upgrade of their own), and oCIS runtime runs apk upgrade --no-cache. The new per-image breakdown matches the Dockerfiles exactly. ✅
  • §6 (smoke tests). Corrected and now precise. Verified verbatim against each repo's main.yml: ubuntu asserts VERSION_ID from /etc/os-release, php runs php --version | grep -qF 'PHP 7.4'/'PHP 8.3', base runs php -r "echo 'OK';" | grep -q OK, web runs nginx -t. The fictional nginx -t on base/php images is gone. ✅
  • §3 (RC tags). Corrected. Now shows RCs get 11.0.0-rc1 + 11.0.0-rc1-<YYYYMMDD> with no floating tags — matching build-date-tag: true applying to all matrix entries. ✅

Nothing new surfaced. Two optional nitpicks (non-blocking):

  • §5a: the extend uses the github>owncloud-ops/renovate-presets:base form and the allowlist is implemented via matchPackagePatterns (regex), not matchPackageNames — the doc's prose is accurate either way.
  • §6: owncloud/ubuntu's smoke check is two matrix entries (. /etc/os-release && [ "${VERSION_ID}" = "24.04"/"22.04" ]), which the "asserts VERSION_ID" summary captures fine.

LGTM.

🤖 Generated with Claude Code

The owncloud/web image repository is being retired, so drop it from
the lifecycle doc: image list, topology, build-args and tagging tables,
per-image OS-package/version notes, publishing conditions, smoke-test
examples, the §7 security-control table, and references. The oCIS
embedded web-assets build step is unrelated and stays.

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant