Docker 20.10 support on SaaS?

As of 2021-01, on SaaS we can use Docker by running up sudo docker-up, but that version is only 19.03.

Can we us Docker 20.10?

$ date
Wed 13 Jan 2021 03:42:37 PM UTC
$ docker version
Client: Docker Engine - Community
 Version:           19.03.13
 API version:       1.40
 Go version:        go1.13.15
 Git commit:        4484c46d9d
 Built:             Wed Sep 16 17:02:52 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.13
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       4484c46d9d
  Built:            Wed Sep 16 17:01:20 2020
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.3.7
  GitCommit:        8fba4e9a7d01810a393d5d25a3621dc101981175
 gitpod:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

If you want to use only the latest version of Docker CLI (20.10.2 as of 2021-01-13), do as follows:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo apt-key fingerprint 0EBFCD88
sudo add-apt-repository    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
sudo apt-get install docker-ce-cli

(cf. https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository)

then you will see:

$ docker version
Client: Docker Engine - Community
 Version:           20.10.2
 API version:       1.40
 Go version:        go1.13.15
 Git commit:        2291f61
 Built:             Mon Dec 28 16:17:43 2020
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          19.03.13
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       4484c46d9d
  Built:            Wed Sep 16 17:01:20 2020
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.3.7
  GitCommit:        8fba4e9a7d01810a393d5d25a3621dc101981175
 gitpod:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Hi @tnir :wave:

Indeed, great catch! Many thanks for reporting this.

The instructions that install Docker into Gitpod’s default workspace image are here:

Now, while these instructions would seem to always install the latest available Docker version, our custom Docker build system Dazzle caches every “layer” (i.e. every Dockerfile instruction between LABEL dazzle/layer=tool-docker and the next such LABEL) independently.

So, what likely happened is that Dazzle built this layer when 19.03.13 was the latest available Docker version, and is now keeping that (now outdated) version in cache “forever”.

The solution is to “invalidate” the Dazzle cache for this “layer”, simply by modifying at least one of the Dockerfile instructions in that “layer”.

The way we’ve solved this problem to keep other important tools up-to-date was to either:

  1. Add an explicit version string to the Dockerfile instructions (e.g. NODE_VERSION=14.15.4) and then have Autofix automatically send a Pull Request when a newer version is available (with a custom-built updater like upgrade-nvm-tools.js and a cronjob)

  2. Or, simply add an unused ENV variable counter (e.g. TRIGGER_BREW_REBUILD=1) that we manually increment every time we want to invalidate & rebuild a given Dazzle layer

In this case, I’d personally go with option 2. and add a ENV TRIGGER_DOCKER_REBUILD=1 into the aforementioned Docker installation instructions, unless you’re interested in teaching Autofix how to determine the latest available Docker version (and e.g. implement a update-docker.js script under autofix/fixers/ that checks https://download.docker.com/linux/ubuntu).

1 Like

@jan Thanks. At this moment, it is enough to use option 2 since we will not have Docker 21.XX in a near future, but there will be a small room to have security vulnerabilities in 20.10.XX after 20.10.2 if there are.

1 Like

Thanks @tnir! That makes sense to me (also, I forgot to mention that Autofix aims to only send Pull Requests that can be merged without risk, i.e. it only proposes patch upgrades, or minor upgrades for tools where this is generally safe/inconsequential – it will generally never propose major upgrades).

I’ll implement option 2. to refresh the Docker Dazzle layer, and thus upgrade Docker to latest stable in Gitpod workspaces.

EDIT: Here is the Pull Request: https://github.com/gitpod-io/workspace-images/pull/331

1 Like