Ubuntu and Docker: In search of the problem

I am preparing a set of stable images for a production environment, with a Ubuntu 18.04 base layer and a set of Python tool on top of it.

Now the users insist that in their preliminary experiments, they ran into problems with Ubuntu coming with a prepackaged Python 3 that had been modified for certain internal Ubuntu needs, but these changes are incompatible with their Python tools. Uninstalling the prepackaged Python and installing the “standard” 3.6 version made Ubuntu fail.

So they handed the problem over to me. I created an image with a Ubuntu base, and I don’t se any trace whatsoever of Python in it. So what has happened? Were those problems with an unstandard Python just pure fantasy? Or have the Ubuntu developers decided to clean the Python parts out of the base imiage? As far as I can see, the tag is unchanged, 18.04. (In my opinion, its most essential trait is the immutability, and if 18.04 has silently been updated, it contradicts this idea.)

Or is that non-standard Python hidden somewhere, and will jump out and bite me some day when I expect it the least?

I have no idea regarding your python problem, though I can tell that your expections about the immutability are only met for the {codename}-{yyyy}{mm}{dd} tags in the ubuntu repository.

Until the next Ubuntu 18.04 image is build, the tags bionic-20190612, 18.04, bionic and latest point to the same imageid. After the next update of the Ubuntu 18.04 image, the tags 18.04, bionic and latest will point to the imageid of the the new image.

This should allow you to verify what commands are were executed to build the images:
If you open the “TAG” tab for the ubuntu Image in Docker Hub, you can click on the “vulnerability bar” (I have no idea how it is realy called) to see which actions are performed in each layer and what vulnerabilites they bring to the table without pulling the image.

For pulled images the command docker image history {imageid} you be used to see which commands are performed in each layer (add --no-trunc to the command, if you want to see the full output).