I support improving the process of updating the CI docker images. A couple of thoughts here:
- I agree the Jenkinsfile security is a little bit arbitrary. I think maybe there could be an aspect of protecting the Jenkins master (i.e. I think you can get references to internal shared Java objects from the Jenkinsfile and mess with them). I agree it doesn’t stop folks from running arbitrary commands.
- Generally speaking we don’t tend to reuse layers in Docker containers, so pulling the base image may make the docker bulid shorter, but I don’t think we should expect the typical docker build to result in a small incremental change. Rather, these images are quite large, and I’m not sure we should be stashing them via Jenkins.
- A related problem occurs when we pull images from ephemeral containers–previously builds started almost immediately, but now it’s much more likely we’ll need to pull a docker image. I wonder if we might consider a pull-through cache or some other type of local registry as a way to both pull images and also store builds that originated in the CI.
- From a security perspective, I think ephemeral machines help; I’d also add pre-declaring network dependencies and firewalling the executors as possible remedies.