[fix] add DOCKER_TAG variable for version pinning to match intended release version#555
[fix] add DOCKER_TAG variable for version pinning to match intended release version#555atif09 wants to merge 6 commits intoopenwisp:masterfrom
Conversation
…#554 this change introduces a DOCKER_TAG environment variable that allows users to pin specific image versions in .env file. Both 'docker compose pull' and 'make pull' now respect this variable, ensuring consistent version behavior across all deployment methods. Changes: - Add DOCKER_TAG=latest to .env file - Update all OpenWISP image tags in docker-compose.yml to use ${DOCKER_TAG:-latest} - Update Makefile to include .env and use DOCKER_TAG when retagging images Fixes openwisp#554
WalkthroughAdded DOCKER_TAG to .env. Updated Makefile to source and export .env and to use DOCKER_TAG (falling back to latest) when constructing image tags. Updated docker-compose.yml to parameterize service image tags as ${DOCKER_TAG:-latest} for all services. No other service configuration, dependencies, volumes, networking, or exported/public interfaces were changed. Sequence Diagram(s)sequenceDiagram
participant Dev as Developer
participant Env as .env
participant Make as Makefile
participant Compose as docker-compose
participant Registry as Docker Registry
Dev->>Env: add DOCKER_TAG (e.g., 25.10.0)
Dev->>Make: run make pull / other make targets
Make->>Env: source and export DOCKER_TAG
Make->>Registry: pull openwisp/<image>:$${DOCKER_TAG:-latest}
Dev->>Compose: docker compose pull
Compose->>Env: read DOCKER_TAG (may be unset)
Compose->>Registry: pull openwisp/<image>:$${DOCKER_TAG:-latest}
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: Organization UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
🔇 Additional comments (1)
✏️ Tip: You can disable this entire section by setting Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @.env:
- Line 66: Move the DOCKER_TAG entry so it appears before EMAIL_DJANGO_DEFAULT
in the .env file to satisfy the dotenv-linter key ordering, and ensure the file
ends with a single trailing newline (add a blank line at EOF) so the linter no
longer reports a missing newline; update the DOCKER_TAG line (the literal key
"DOCKER_TAG") and verify EMAIL_DJANGO_DEFAULT remains unchanged.
In `@Makefile`:
- Line 26: The docker tag command can fail when DOCKER_TAG is empty; update the
recipe to use a fallback default for DOCKER_TAG (compose uses "latest") so the
tag is valid even if .env is missing. Locate the docker tag line in the Makefile
that references $${DOCKER_TAG} and replace it with a parameter expansion
fallback (e.g., use $${DOCKER_TAG:-latest}) so the command uses "latest" when
DOCKER_TAG is unset while keeping existing variables USER, image and TAG
unchanged.
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
.envMakefiledocker-compose.yml
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2026-01-06T11:56:48.600Z
Learnt from: pandafy
Repo: openwisp/docker-openwisp PR: 549
File: docker-compose.yml:85-85
Timestamp: 2026-01-06T11:56:48.600Z
Learning: In docker-openwisp projects, ensure CELERY_SERVICE_NETWORK_MODE is set to an empty string "" (which Docker Compose treats as unset/null). This allows containers to connect via the Compose default network with correct service name DNS resolution. Using "bridge" as the value disables service name resolution and breaks communication between celery, dashboard, postgres, and redis. Apply this guideline to docker-compose.yml files in the repository and any similar Compose files where CELERY services rely on service name DNS.
Applied to files:
docker-compose.yml
📚 Learning: 2026-01-06T11:55:13.672Z
Learnt from: pandafy
Repo: openwisp/docker-openwisp PR: 549
File: docker-compose.yml:85-85
Timestamp: 2026-01-06T11:55:13.672Z
Learning: In docker-compose.yml files, avoid leaving CELERY_SERVICE_NETWORK_MODE as an empty string; an empty value is ignored and Docker Compose falls back to default networking. Do not rely on setting CELERY_SERVICE_NETWORK_MODE to 'bridge' for celery services, as this will not affect their networking. If specific networking is required for celery services, define and attach explicit networks in the compose file and reference them on the celery services.
Applied to files:
docker-compose.yml
📚 Learning: 2026-01-06T11:28:41.789Z
Learnt from: pandafy
Repo: openwisp/docker-openwisp PR: 549
File: docker-compose.yml:171-171
Timestamp: 2026-01-06T11:28:41.789Z
Learning: In docker-openwisp, the OpenVPN container (images/common/init_command.sh) exits silently with exit code 0 when VPN_DOMAIN environment variable is not set. Combined with restart policy "on-failure" in docker-compose.yml, this prevents the container from restarting when VPN is disabled.
Applied to files:
docker-compose.yml
🪛 dotenv-linter (4.0.0)
.env
[warning] 66-66: [EndingBlankLine] No blank line at the end of the file
(EndingBlankLine)
[warning] 66-66: [UnorderedKey] The DOCKER_TAG key should go before the EMAIL_DJANGO_DEFAULT key
(UnorderedKey)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: CI Build
🔇 Additional comments (2)
Makefile (1)
4-6: LGTM — .env inclusion/export enables tag propagation.docker-compose.yml (1)
15-15: LGTM — parameterized tags meet pinning objective and keep defaults.Also applies to: 38-38, 58-58, 73-73, 88-88, 102-102, 116-116, 143-143, 159-159, 170-170
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
Move DOCKER_TAG variable placement in .env file to satisfy alphabetical ordering requirements and add missing EOF newline. Update Makefile to use fallback value for DOCKER_TAG variable. Related to openwisp#554
atif09
force-pushed
the
issues/554-fix-docker-tag
branch
from
f60f251 to
a4f27a0
Compare
nemesifier
changed the title
github-project-automation
bot
moved this from In progress
to Reviewer approved
in OpenWISP Priorities for next releases
github-project-automation
bot
moved this to In progress
in OpenWISP Priorities for next releases
github-project-automation
bot
moved this to To do (general)
in OpenWISP Contributor's Board
github-project-automation
bot
moved this from To do (general)
to In progress
in OpenWISP Contributor's Board
.env
Outdated
| SSH_PRIVATE_KEY_PATH=/home/openwisp/.ssh/id_ed25519 | ||
| SSH_PUBLIC_KEY_PATH=/home/openwisp/.ssh/id_ed25519.pub | ||
| VPN_DOMAIN=openvpn.openwisp.org | ||
| DOCKER_TAG=25.10.0 |
There was a problem hiding this comment.
Do we have to change this every time we release a bugfix version?
Ideally we shouldn't, right @pandafy?
How do we deal with edge images?
There was a problem hiding this comment.
i had committed the changes without changing this variable back to latest while testing for version pinning for 25.10.0, sorry for this
this being set to latest avoids changing this variable everytime there is a bugfix
Keeping DOCKER_TAG=latest avoids manual updating with each release, users will have to change this to the specific version by explicitly setting it to the desired version Related to openwisp#554
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.env (1)
5-12:⚠️ Potential issue | 🟡 MinorFix dotenv-linter key ordering for
DOCKER_TAG.
dotenv-linterexpectsDOCKER_TAGto appear beforeSSH_PRIVATE_KEY_PATH. Please reorder to satisfy lint rules.♻️ Proposed fix
DASHBOARD_DOMAIN=dashboard.openwisp.org API_DOMAIN=api.openwisp.org +# Image tag pinning +DOCKER_TAG=latest # SSH Credentials Configurations SSH_PRIVATE_KEY_PATH=/home/openwisp/.ssh/id_ed25519 SSH_PUBLIC_KEY_PATH=/home/openwisp/.ssh/id_ed25519.pub VPN_DOMAIN=openvpn.openwisp.org -DOCKER_TAG=latest EMAIL_DJANGO_DEFAULT=example@example.org
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.env
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2026-01-06T11:28:41.789Z
Learnt from: pandafy
Repo: openwisp/docker-openwisp PR: 549
File: docker-compose.yml:171-171
Timestamp: 2026-01-06T11:28:41.789Z
Learning: In docker-openwisp, the OpenVPN container (images/common/init_command.sh) exits silently with exit code 0 when VPN_DOMAIN environment variable is not set. Combined with restart policy "on-failure" in docker-compose.yml, this prevents the container from restarting when VPN is disabled.
Applied to files:
.env
🪛 dotenv-linter (4.0.0)
.env
[warning] 11-11: [UnorderedKey] The DOCKER_TAG key should go before the SSH_PRIVATE_KEY_PATH key
(UnorderedKey)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: CI Build
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
dotenv-linter expects DOCKER_TAG to appear before SSH_PRIVATE_KEY_PATH Related to openwisp#554
nemesifier
left a comment
nemesifier
left a comment
There was a problem hiding this comment.
BTW we have an OPENWISP_VERSION var in the makefile.
However, I ask @pandafy to review this.
The variable in the makefile cannot serve as single source of truth if the someones uses docker to manage the images (e.g. docker compose pull) which is a common flow. |
pandafy
left a comment
pandafy
left a comment
There was a problem hiding this comment.
This looks on the right track. But, we need to make sure that we have a single source of truth. IMO, we can use .env as single source of truth and make Makefile derive the version from there.
@nemesifier is there something I am missing here?
| DASHBOARD_DOMAIN=dashboard.openwisp.org | ||
| API_DOMAIN=api.openwisp.org | ||
| # Image tag pinning | ||
| DOCKER_TAG=latest |
There was a problem hiding this comment.
Can we call this OPENWISP_VERSION instead? Then, we can make the makefile use this instead of defining the variable there.
| include .env | ||
| export | ||
|
|
||
| OPENWISP_VERSION = 25.10.0 |
There was a problem hiding this comment.
This variable will come from the .env
| 'openwisp-websocket' ; do \ | ||
| docker pull --quiet $(USER)/$${image}:$(TAG); \ | ||
| docker tag $(USER)/$${image}:$(TAG) openwisp/$${image}:latest; \ | ||
| docker tag $(USER)/$${image}:$(TAG) openwisp/$${image}:$${DOCKER_TAG:-latest}; \ |
There was a problem hiding this comment.
This means, we will always have versioned tagged images. This what I expect.
github-project-automation
bot
moved this from Reviewer approved
to In progress
in OpenWISP Priorities for next releases
pandafy
left a comment
pandafy
left a comment
There was a problem hiding this comment.
@nemesifier don't merge this PR yet. i need to organise my thoughts and think about all possible situations.
I will report back on Monday.
3 participants
this change introduces a DOCKER_TAG environment variable that allows users to pin specific image versions in .env file, both 'docker compose pull' and 'make pull' now work according to this variable, ensuring consistent version behavior across all deployment methods
Checklist
Reference to Existing Issue
Closes #554.
Description of Changes
Screenshot
version pinning test:
with
DOCKER_TAG=25.10.0in .env