nodejs runtime packages in base images

[Rodric Rabbah <ro...@gmail.com>]

Hello,

A few times in recent weeks and twice this past week there was discussion
on slack about our nodejs8 and nodejs10 images and the lack of packages in
these images. As we move to deprecate nodejs6 with its coming end of life,
this is worth re-considering: should we include some popular images in the
base image?

We had previously eschewed packages because the thought was providers roll
their own. But I'm finding that our nodejs6 runtime more convenient for
some development because of its built-in packages.

So I opened a draft PR (new on GitHub!) to add some packages to our images
here: https://github.com/apache/incubator-openwhisk-runtime-nodejs/pull/111

Feedback welcome and especially appreciated if you aren't a provider that
runs their own images.

-r

Re: nodejs runtime packages in base images

[James Thomas <jt...@gmail.com>]

-1 on this I'm afraid.

I agree with everything Carlos said - I think the maintance and security
burden of rolling packages into the base layers outweights the ease of use
concern for new users.

On Sat, 16 Feb 2019 at 14:13, Carlos Santana <cs...@gmail.com> wrote:

>
> With my vendor hat:
>
> This means anyone extending the base image in their Dockerfile need to
> delete the node_modules directory first before they do npm install to
> install the exact set of packages and their dependencies that they want.
> They would this for various reasons for example they went over all the
> dependency graph not just the top level and made sure there are no
> legal/license problems, security CVEs, and maybe some packages for their
> own purpose.
>
> This will increase the image size with a layer that never get use.
>
> The alternative is that the provider can have a Docker file that doesn’t
> extend the openwhisk base image and instead extend the nodejs base image
> and use the new from feature from Dockerfile to copy the 2 or 3 files out
> of the base openwhisk image.
>
> Now with my Apache Hat:
> You will need to blessed and do legal clearance of the npm packages and
> all their dependencies to make sure their are compatible with Apache and
> then maintain currency with the versions that for currency and also
> security patches.
>
> I know that nodejs6 includes a bunch of npm packages but I was hoping to
> delete nodejs:6 from the repo for this reason before graduation to avoid
> any problems when going into graduation.
>
> PS: Anyone is welcome to use the image ibmfunctions/action-nodejs-v10 for
> nodejs:10 in their runtimes.json is fully compatible with any openwhisk
> deployment. This is the one I use locally in my Mac with docker-compose
> deploy.
>
> - Carlos Santana
> @csantanapr
>
> > On Feb 16, 2019, at 8:57 AM, Dominic Kim <st...@gmail.com> wrote:
> >
> > +1 on this.
> >
> >
> > Best regards
> > Dominic
> >
> >
> > 2019년 2월 16일 (토) 오전 10:53, Rodric Rabbah <ro...@gmail.com>님이 작성:
> >
> >> Hello,
> >>
> >> A few times in recent weeks and twice this past week there was
> discussion
> >> on slack about our nodejs8 and nodejs10 images and the lack of packages
> in
> >> these images. As we move to deprecate nodejs6 with its coming end of
> life,
> >> this is worth re-considering: should we include some popular images in
> the
> >> base image?
> >>
> >> We had previously eschewed packages because the thought was providers
> roll
> >> their own. But I'm finding that our nodejs6 runtime more convenient for
> >> some development because of its built-in packages.
> >>
> >> So I opened a draft PR (new on GitHub!) to add some packages to our
> images
> >> here:
> >> https://github.com/apache/incubator-openwhisk-runtime-nodejs/pull/111
> >>
> >> Feedback welcome and especially appreciated if you aren't a provider
> that
> >> runs their own images.
> >>
> >> -r
> >>
>


-- 
Regards,
James Thomas

Re: nodejs runtime packages in base images

[Carlos Santana <cs...@gmail.com>]

With my vendor hat:

This means anyone extending the base image in their Dockerfile need to delete the node_modules directory first before they do npm install to install the exact set of packages and their dependencies that they want. They would this for various reasons for example they went over all the dependency graph not just the top level and made sure there are no legal/license problems, security CVEs, and maybe some packages for their own purpose. 

This will increase the image size with a layer that never get use. 

The alternative is that the provider can have a Docker file that doesn’t extend the openwhisk base image and instead extend the nodejs base image and use the new from feature from Dockerfile to copy the 2 or 3 files out of the base openwhisk image. 

Now with my Apache Hat:
You will need to blessed and do legal clearance of the npm packages and all their dependencies to make sure their are compatible with Apache and then maintain currency with the versions that for currency and also security patches. 

I know that nodejs6 includes a bunch of npm packages but I was hoping to delete nodejs:6 from the repo for this reason before graduation to avoid any problems when going into graduation. 

PS: Anyone is welcome to use the image ibmfunctions/action-nodejs-v10 for nodejs:10 in their runtimes.json is fully compatible with any openwhisk deployment. This is the one I use locally in my Mac with docker-compose deploy. 

- Carlos Santana
@csantanapr

> On Feb 16, 2019, at 8:57 AM, Dominic Kim <st...@gmail.com> wrote:
> 
> +1 on this.
> 
> 
> Best regards
> Dominic
> 
> 
> 2019년 2월 16일 (토) 오전 10:53, Rodric Rabbah <ro...@gmail.com>님이 작성:
> 
>> Hello,
>> 
>> A few times in recent weeks and twice this past week there was discussion
>> on slack about our nodejs8 and nodejs10 images and the lack of packages in
>> these images. As we move to deprecate nodejs6 with its coming end of life,
>> this is worth re-considering: should we include some popular images in the
>> base image?
>> 
>> We had previously eschewed packages because the thought was providers roll
>> their own. But I'm finding that our nodejs6 runtime more convenient for
>> some development because of its built-in packages.
>> 
>> So I opened a draft PR (new on GitHub!) to add some packages to our images
>> here:
>> https://github.com/apache/incubator-openwhisk-runtime-nodejs/pull/111
>> 
>> Feedback welcome and especially appreciated if you aren't a provider that
>> runs their own images.
>> 
>> -r
>> 

Re: nodejs runtime packages in base images

[Dominic Kim <st...@gmail.com>]

+1 on this.


Best regards
Dominic


2019년 2월 16일 (토) 오전 10:53, Rodric Rabbah <ro...@gmail.com>님이 작성:

> Hello,
>
> A few times in recent weeks and twice this past week there was discussion
> on slack about our nodejs8 and nodejs10 images and the lack of packages in
> these images. As we move to deprecate nodejs6 with its coming end of life,
> this is worth re-considering: should we include some popular images in the
> base image?
>
> We had previously eschewed packages because the thought was providers roll
> their own. But I'm finding that our nodejs6 runtime more convenient for
> some development because of its built-in packages.
>
> So I opened a draft PR (new on GitHub!) to add some packages to our images
> here:
> https://github.com/apache/incubator-openwhisk-runtime-nodejs/pull/111
>
> Feedback welcome and especially appreciated if you aren't a provider that
> runs their own images.
>
> -r
>