Image builder must pull FROM image!
This must be done whatever library we use (native docker client, fsouza/docker-client, Openshift/image-builder)
In old builder this was done with the --pull
option.
We MUST pull the FROM image before performing the build. For 2 reasons:
- security: maybe we're using a private image. If the From image is present locally in the runner's docker storage already, it will be used without any check that the current build is allowed to pull that image!
- up-to-date image: without explicitly pulling the image, the build will use whatever tag is already present locally in the runner's docker storage. It will not pull the latest image for that tag.
If using Openshift/image-builder library, then make sure to set AllowPull=false