Skip to content

[hermetic-build] Docker image's gRPC dependency doesn't match the original Dockerfile version #3766

New issue
New issue
Closed
Closed
[hermetic-build] Docker image's gRPC dependency doesn't match the original Dockerfile version#3766
Labels
hermetic-buildpriority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@diegomarquezp

Description

@diegomarquezp
diegomarquezp
opened on Apr 25, 2025

Context

The Dockerfile defines GRPC_VERSION and uses it to download the plugin.

sdk-platform-java/.cloudbuild/library_generation/library_generation.Dockerfile

Line 61 in 698375d

ARG GRPC_VERSION=1.70.0

sdk-platform-java/.cloudbuild/library_generation/library_generation.Dockerfile

Lines 101 to 106 in 698375d

WORKDIR /grpc
RUN source /src/library_generation/utils/utilities.sh \
&& download_grpc_plugin "${GRPC_VERSION}" "${OS_ARCHITECTURE}"
# similar to protoc, we indicate grpc is available in the container via env vars
ENV DOCKER_GRPC_LOCATION="/grpc/protoc-gen-grpc-java.exe"

The last update to GRPC_VERSION was made in 6ca0599 back in February. Such update should have been reflected in 2.54.0.

However, the update was reflected only since 2.56.0:

[hi on] diegomarquezp:~$ docker run --rm --entrypoint bash gcr.io/cloud-devrel-public-resources/java-library-generation:2.56.2 -c 'cat /grpc/protoc-gen-grpc-java.exe | grep \(version'
 (version 1.70.0)
[hi on] diegomarquezp:~$ docker run --rm --entrypoint bash gcr.io/cloud-devrel-public-resources/java-library-generation:2.56.1 -c 'cat /grpc/protoc-gen-grpc-java.exe | grep \(version'
 (version 1.70.0)
^[[A[hi on] diegomarquezp:~$ docker run --rm --entrypoint bash gcr.io/cloud-devrel-public-resources/java-library-generation:2.56.0 -c 'cat /grpc/protoc-gen-grpc-java.exe | grep \(version'
 (version 1.70.0)
[hi on] diegomarquezp:~$ docker run --rm --entrypoint bash gcr.io/cloud-devrel-public-resources/java-library-generation:2.55.1 -c 'cat /grpc/protoc-gen-grpc-java.exe | grep \(version'
 (version 1.69.0)
[hi on] diegomarquezp:~$

The problem

Since we had one or more stale dependencies in the Docker image (gRPC being a confirmed case), there could be other stale dependencies. From Analysis, we should cover most of this by syncing the Airlock image with the main one.

Analysis

The Cloud Build trigger definition uses the Airlock definition:
https://github.com/googleapis/sdk-platform-java/blob/main/.cloudbuild/library_generation/cloudbuild-library-generation-push.yaml#L31-L38

However, GRPC_VERSION was updated only during the last release cycle (part of 2.56.0):
4eed4d6

The renovate configuration only matches the original file:

sdk-platform-java/renovate.json

Lines 34 to 46 in 698375d

{
"customType": "regex",
"fileMatch": [
"^gax-java/dependencies\\.properties$",
"^\\.cloudbuild/library_generation/library_generation\\.Dockerfile$"
],
"matchStrings": [
"version\\.io_grpc=(?<currentValue>.+?)\\n",
"ARG GRPC_VERSION=[\"']?(?<currentValue>.+?)[\"']?\\s+"
],
"depNameTemplate": "io.grpc:grpc-core",
"datasourceTemplate": "maven"
},

Solution

The best solution I can think of is to centralize the image definition, as described in #3728

Temporary solution

#3765 subscribes the Airlock image to gRPC updates

Metadata

Metadata

Assignees

No one assigned

    Labels

    hermetic-buildpriority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions