Ubuntu 22.04

[ansd]

Should we update Ubuntu from 20.04 to 22.04?
It would have been nice to do so for the RabbitMQ 3.12.0 image already.
I suggest we should do it for the 3.13 image.
I suggest we start using Ubuntu 22.04 in 3.12.1

See https://www.rabbitmq.com/install-debian.html#supported-distributions

[michaelklishin]

Note that we'd going from an LTS release to an LTS release, and both are supported by Team RabbitMQ. They both also have a large user base.

So I'd say we should adopt 22.04 starting with 3.12.x.

[tianon]

I don't feel really strongly one way or the other, but it seems pretty reasonable to me to update even the older (still supported) versions to ubuntu:22.04 as well -- is the reason not to just to stay more conservative?

(Given we build both Erlang and OpenSSL directly from source, I don't see a high chance of incompatibility from doing so, but I admit I'm not well-versed in the ways that might go wrong for RabbitMQ specifically!)

[lukebakken]

Sure thing, it makes the change simpler to use 22.04 for everything. I can keep the new values in version.sh / versions.json if we think different base image versions may be useful in the future.

One thing I noticed that the build process does not do on the final layer is update the software that is there (apt-get upgrade). I'm assuming this is intentional because its unpredictable?

[tianon]

This is a saved reply that @yosifkit likes to use for answering that question 😄

---

We recommend against using blanket package upgrades (apt-get upgrade/apk upgrade/yum upgrade/yum update) for official-images. When package upgrades are applied in a dependent image, it duplicates content of the base image, making the image larger than necessary. It also only delays the inevitable "there are outdated packages". The Official Images build pipeline makes heavy use of docker build cache, so we make periodic base image updates to then fully rebuild all dependent images (e.g. the Debian image updates).

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need, e.g. docker-library/official-images#2171. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file).

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

---

(The Ubuntu images we're based on here are currently updated on roughly a three week cadence unless there's a really serious CVE.)