Good dockerfile with fixed version FROM statement stops working...

[kamil-kielczewski]

My old good docker file stops working (!)

FROM nginx:1.13.0-alpine

# install console and node
RUN apk add --no-cache \
    bash=4.3.46-r5 \
    openssl=1.0.2k-r0 \
    nodejs

Error:

Sending build context to Docker daemon 1.274MB
Step 1/8 : FROM nginx:1.13.0-alpine
---> f00ab1b3ac6d
Step 2/8 : RUN apk add --no-cache bash=4.3.46-r5 openssl=1.0.2k-r0 nodejs
---> Running in f54d07a60ce0
fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
openssl-1.0.2n-r0:
breaks: world[openssl=1.0.2k-r0]
The command '/bin/sh -c apk add --no-cache bash=4.3.46-r5 openssl=1.0.2k-r0 nodejs' returned a non-zero code: 1

WHY ? :( :( :(
I used FIXED version number in FROM statement :( :( :( - few months ago it works without any problems

[tianon]

If you're looking for an image reference which never changes, I'd recommend instead using an explicit sha256 digest (as can be found via either the output of docker pull, or from https://github.com/docker-library/repo-info/tree/master/repos/nginx) -- image tags are always going to be mutable (and things like the version of Alpine they contain might change over time).

In this case, it really looks like Alpine had an update to the openssl package in Alpine 3.5, so your explicit openssl=1.0.2k-r0 no longer works because the package version in 3.5 is now 1.0.2n-r0 (https://pkgs.alpinelinux.org/packages?name=openssl&branch=v3.5), so you would've been bit by this error regardless.

[kamil-kielczewski]

Thank you for your advice :)

Do you know why tags with fixend number can change over time (SIC!) (for example in node/npm or php/composer that kind of situations never happens) ?

[tianon]

The tags are semantic (human-friendly) labels for you to get the latest released artifact which corresponds to NGINX version 1.13.0 based on Alpine Linux -- if Alpine Linux has a security update, for example, the nginx:1.13.0-alpine image will be rebuilt to include it.

[tianon]

The tag isn't a "version number" per-se (like it is in npm or composer), but rather just a generic string of text which happens to correspond to a version number.

[kamil-kielczewski]

I have some proposition/idea - may be it will be good to introduce additional tag with strict version number which content not change over time? (for example: version_nginx1.13.8-alpine3.5) ?

[tianon]

Some images have done exactly that -- see docker-library/golang#170, docker-library/python#215, docker-library/ruby#142, docker-library/php#507, docker-library/openjdk#157.

At the end of the day, this wouldn't have solved your issue though. The issue you're seeing is due to Alpine updating a package in their repositories, and the version you're trying to install thus being no longer available.

[kamil-kielczewski]

ok now i understand - it's no problem with image