Introducing Docker Rolling Releases for Enhanced Security in Dockerised DHIS2 Environments

We are excited to announce a significant update in our deployment process for DHIS2 Docker images. Our new Docker Rolling Releases strategy is designed to ensure that our Docker images remain up-to-date with the latest security patches and updates, enhancing the overall security and reliability of our systems.

Motivation Behind the Change

In the rapidly evolving digital landscape, security is paramount. Our previous Docker image builds were synchronised with the supported versions of DHIS2 only at the time that version was released. However, this meant that the docker image for a specific DHIS2 version would not stay up to date with the base tomcat image, or other underlying dependency updates. To address this, we are shifting to a more dynamic and responsive update process.

Our New Approach: Docker Rolling Releases

Versioning and Tagging:
We have streamlined our versioning system. For instance, a tag like 40.1.1 represents a fully-qualified hotfix; while 40.1 represents a patch (implying the latest hotfix on that patch version), and 40 is just the major version (implying both the latest patch and hotfix). Backward compatibility with the old 2.xx format is maintained with tags like

Immutability Principle:
We are committed to the principle of immutability. Each individual image tagged with full specificity, such as 40.1.1-20231031T164340Z (DHIS2 version plus timestamp), will remain unchanged. This approach aids in debugging and ensures reliability.

Flexible Tagging for Rolling Releases:
Tags with only the DHIS2 version and no timestamp, like dhis2/core:40.1.1, will adhere to the rolling release principle, receiving updates as needed. This means that the base image can be updated while the DHIS2 version stays the same.

Multiple Builds and Tags:
Each build will have multiple tags, reflecting the latest patch, minor, or major version. For example, a build tagged as 40.1.1-20231019 might also be tagged as 40.1.1, 40.1, and 40.

Rolling Release Schedule:
Our rolling releases may be scheduled or triggered on-demand. We are utilising a Jenkins pipeline to automate this process, ensuring that our images are always built with the latest base image updates.

Commitment to Security and Efficiency

This move to Docker Rolling Releases represents our commitment to providing the most secure and efficient environment for our users. By ensuring that our Docker images are always up-to-date with the latest security patches, we are enhancing the stability and reliability of our systems.We are excited about this new chapter in our containerised deployment strategy and are confident that it will significantly benefit our users and the broader DHIS2 community.

Best Regards,
DHIS2 Release Team.