fix(docker): mirror IBM iAccess driver on collate CDN#28097
Merged
Conversation
IBM's public CDN (public.dhe.ibm.com) has been unreliable, causing CI build failures with "Failed to connect to ... port 443". Switch all ingestion Dockerfiles to wget the .deb from cdn.getcollate.io with SHA256 verification. Changes: - ingestion/Dockerfile + Dockerfile.ci: replace apt-list+apt-install pattern with direct wget+dpkg, matching the operators' existing shape. - ingestion/operators/docker/Dockerfile + Dockerfile.ci: bump pinned version 1.1.0.13 (2022) -> 1.1.0.29 (matches production ingestion-slim image), add SHA256 verification. The CDN-mirrored .deb is byte-identical to IBM's upstream (verified by SHA256). Production ingestion-slim:1.13.0-n103 already runs 1.1.0.29 (confirmed via dpkg -l inside the image). Decouples Docker builds from IBM's CDN availability — the recent CI failure mode (curl timeout to public.dhe.ibm.com) can no longer occur.
github-actions
Bot
added
Ingestion
safe to test
Code Review ✅ ApprovedMirrors the IBM iAccess driver on the Collate CDN and implements direct wget downloads with SHA256 verification to resolve build failures caused by IBM CDN instability. No issues found. OptionsDisplay: compact → Showing less information. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the ingestion Docker images’ DB2 iAccess driver installation to download a mirrored .deb from cdn.getcollate.io (instead of IBM’s CDN / apt-list flow) and verifies the artifact via pinned SHA256, improving Docker build reliability in CI.
Changes:
- Switch DB2 iAccess installation to direct
wgetof the mirrored.deb+sha256sumverification. - Update the pinned iAccess version in operator images to
1.1.0.29and align install steps across the four Dockerfiles. - Retain
dpkg -i --force-dependsto handle legacy dependency naming on Debian 12.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
ingestion/Dockerfile |
Replaces IBM apt-list install with mirrored .deb download + SHA256 verification for iAccess. |
ingestion/Dockerfile.ci |
Same as above for CI image build path. |
ingestion/operators/docker/Dockerfile |
Switches iAccess download to Collate CDN mirror, pins SHA256, and bumps to 1.1.0.29. |
ingestion/operators/docker/Dockerfile.ci |
Same as above for the operator CI Dockerfile. |
Comment on lines
+71
to
+72
| && dpkg -i --force-depends /tmp/ibm-iaccess.deb \ | ||
| && apt-get install -f -y --no-install-recommends \ |
| RUN if [ $(uname -m) = "x86_64" ]; then \ | ||
| wget -q https://cdn.getcollate.io/deps/ingestion/ibm/ibm-iaccess-1.1.0.29-1.0.amd64.deb -O /tmp/ibm-iaccess.deb \ | ||
| && echo "e60e968d2cee96b2851964456f5b31ab990b1aa47d8f2399607809f7d4514f58 /tmp/ibm-iaccess.deb" | sha256sum -c - \ | ||
| && dpkg -i --force-depends /tmp/ibm-iaccess.deb \ |
| wget -q https://cdn.getcollate.io/deps/ingestion/ibm/ibm-iaccess-1.1.0.29-1.0.amd64.deb \ | ||
| -O /tmp/ibm-iaccess.deb && \ | ||
| echo "e60e968d2cee96b2851964456f5b31ab990b1aa47d8f2399607809f7d4514f58 /tmp/ibm-iaccess.deb" | sha256sum -c - && \ | ||
| dpkg -i --force-depends /tmp/ibm-iaccess.deb && \ |
| wget -q https://cdn.getcollate.io/deps/ingestion/ibm/ibm-iaccess-1.1.0.29-1.0.amd64.deb \ | ||
| -O /tmp/ibm-iaccess.deb && \ | ||
| echo "e60e968d2cee96b2851964456f5b31ab990b1aa47d8f2399607809f7d4514f58 /tmp/ibm-iaccess.deb" | sha256sum -c - && \ | ||
| dpkg -i --force-depends /tmp/ibm-iaccess.deb && \ |
Contributor
🟡 Playwright Results — all passed (14 flaky)✅ 4062 passed · ❌ 0 failed · 🟡 14 flaky · ⏭️ 97 skipped
🟡 14 flaky test(s) (passed on retry)
How to debug locally# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip # view trace |
|
pmbrull
approved these changes
May 14, 2026
IceS2
added a commit
that referenced
this pull request
May 15, 2026
IBM's public CDN (public.dhe.ibm.com) has been unreliable, causing CI build failures with "Failed to connect to ... port 443". Switch all ingestion Dockerfiles to wget the .deb from cdn.getcollate.io with SHA256 verification. Changes: - ingestion/Dockerfile + Dockerfile.ci: replace apt-list+apt-install pattern with direct wget+dpkg, matching the operators' existing shape. - ingestion/operators/docker/Dockerfile + Dockerfile.ci: bump pinned version 1.1.0.13 (2022) -> 1.1.0.29 (matches production ingestion-slim image), add SHA256 verification. The CDN-mirrored .deb is byte-identical to IBM's upstream (verified by SHA256). Production ingestion-slim:1.13.0-n103 already runs 1.1.0.29 (confirmed via dpkg -l inside the image). Decouples Docker builds from IBM's CDN availability — the recent CI failure mode (curl timeout to public.dhe.ibm.com) can no longer occur.
ulixius9
pushed a commit
that referenced
this pull request
May 16, 2026
IBM's public CDN (public.dhe.ibm.com) has been unreliable, causing CI build failures with "Failed to connect to ... port 443". Switch all ingestion Dockerfiles to wget the .deb from cdn.getcollate.io with SHA256 verification. Changes: - ingestion/Dockerfile + Dockerfile.ci: replace apt-list+apt-install pattern with direct wget+dpkg, matching the operators' existing shape. - ingestion/operators/docker/Dockerfile + Dockerfile.ci: bump pinned version 1.1.0.13 (2022) -> 1.1.0.29 (matches production ingestion-slim image), add SHA256 verification. The CDN-mirrored .deb is byte-identical to IBM's upstream (verified by SHA256). Production ingestion-slim:1.13.0-n103 already runs 1.1.0.29 (confirmed via dpkg -l inside the image). Decouples Docker builds from IBM's CDN availability — the recent CI failure mode (curl timeout to public.dhe.ibm.com) can no longer occur.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Describe your changes:
Fixes #
IBM's public CDN (
public.dhe.ibm.com) has been unreliable, causing Dockerbuilds to fail when curling the iAccess
.listor.deb. This PR mirrorsthe iAccess driver on
cdn.getcollate.ioand switches all four ingestionDockerfiles to wget from the mirror with SHA256 verification.
Why: the CI build error pasted in the linked issue is a 134-second TCP
timeout against
public.dhe.ibm.com— IBM's CDN was unreachable from therunner. Direct download of the
.deb(instead of apt-list) wouldn't help:same hostname, same network path, same failure mode. Mirroring the binary
on a CDN we control decouples Docker builds from IBM's availability.
Type of change:
High-level design:
Files changed (4):
ingestion/Dockerfile+Dockerfile.ci: replaceapt-list+apt-installpattern with direct
wget+dpkg, matching the operators' existing shape.ingestion/operators/docker/Dockerfile+Dockerfile.ci: bump pinnedversion from
1.1.0.13(May 2022) to1.1.0.29(March 2026, matches theversion production
ingestion-slimimages actually ship today).SHA256 verification is added to all four files. The mirrored
.debisbyte-identical to IBM's upstream:
Why
1.1.0.29is safe: it's the same version productioningestion-slim:1.13.0-n103already runs (confirmed viadpkg -l ibm-iaccessinside the image). The smaller
.debsize (1.1 MB vs 5.5 MB for 1.1.0.28) isbecause IBM finally stripped debug symbols from the shared libraries — same
438 files, same
libcwbodbc.soODBC driver, samelibcwbcore.so. Nofunctionality removed;
filereports v29 as "stripped" vs v28 "withdebug_info, not stripped."
dpkg --force-dependsretained because the.debdeclares old Debianpackage names (
libodbc1,odbcinst1debian2) that don't exist in Debian 12;the actual libraries (
unixodbc,odbcinst) are installed earlier in eachDockerfile.
Tests:
No automated test exists in the repo for the iAccess install path
(
test_db2.pyis a pure-mock unit test, doesn't exercise the driver, andno CI workflow mentions db2/iaccess). Validated manually:
Result:
ii ibm-iaccess 1.1.0.29-1.0 amd64 IBM i Access Client Solutions.libcwbodbc.so(the ODBC driver, 830 KB) and the/usr/lib/x86_64-linux-gnu/libcwbcore.sosymlink land at expected paths.Adding a Dockerfile-build smoke test to CI is a worthwhile follow-up but
out of scope for this fix.