Replace --local with --pull=[always,never,missing] (HMS-3792)
#418
Conversation
Is it? Looks to me like you're just deprecating |
|
Valid point |
|
Yeah, this is nice. Gives the user more control and it aligns with what we're doing internally (and how podman works) so it should be easier to understand. |
ab2f6af to
e2da71f
Compare
--local with --pull=[always,never,missing]--local with --pull=[always,never,missing] (HMS-3792)
In order to be more consistent with how podman behaves, add initial `pull=never` and `pull=always` flags.
Deprecate the `--local` flag in favour of the `--pull` flag as the latter is more descriptive and is more inline with how podman behaves. Add a deprecated warning message for using the `--local` flag.
Add the `pull=missing` flag and set it as the default. Add the logic to check if the container is missing from local storage and pull the image if it is not there. Note: it is a little difficult to check for cross-arch images if a container already exists for the host's architecture. If the image exists and the container arch doesn't match, just pull the image.
Replace all instances of the `--local` flag in the test suites with `--pull=never` flag.
Update the README to replace the deprecated `--local` flag with the `--pull=always` flag to ensure that the image has been pulled into the local containers storage. Add a note to explain the 3 different options for the pull flag, namely: - `always`, which always pulls the container image - `missing`, only pulls the container image when it is missing - `never`, don't pull the image (same behaviour as the --local flag)
| quay.io/centos-bootc/bootc-image-builder:latest \ | ||
| --type qcow2 \ | ||
| --local \ | ||
| --pull=always \ # Ensure the image is fetched |
There was a problem hiding this comment.
PLEASE make this missing not always.
| The `--pull` flag is based on the behaviour of `podman-build(1)` and has the following three options: | ||
| - `--pull=always`, always pull the remote image | ||
| - `--pull=missing`, only pull the image if it is not in local storage | ||
| - `--pull=never`, don't pull the image (this is functionally the same as the deprecated `--local` flag) |
There was a problem hiding this comment.
Podman build also supports newer.
$ podman run --help | grep -- --pull
--pull string Pull image policy ("always"|"missing"|"never"|"newer") (default "missing")
There was a problem hiding this comment.
$ podman build --help | grep -- --pull
--pull string[="true"] Pull image policy ("always/true"|"missing"|"never/false"|"newer") (default "missing")
|
|
||
| func newPullPolicy(s string) (pullPolicy, error) { | ||
| switch s { | ||
| case "always", "never": |
There was a problem hiding this comment.
What about missing and newer?
There was a problem hiding this comment.
Thanks good catch re missing. We still need to add more tests and figuring out how to approach newer
| *upload_args, | ||
| *target_arch_args, | ||
| "--local" if local else "--local=false", | ||
| "--pull=never" if local else "--pull=always", |
|
OK this topic is subtle and confusing. I am coming around to the PoV that the only viable solution is to change all the documentation for bib to say: And we should not expose While today bib is invoking Trying to replicate the effect of that remoting work from inside is of course technically possible, but I suspect is going to be quite fiddly. Also as I've been arguing in a few contexts for a while, IMO one of the primary entrypoints to bib should be users building their own derived containers they used locally - for which there's no need to pull at all. The case of building a "remote" image of course definitely exists - in fact it's very much a "production" use case I think for e.g. having one build pipeline (Tekton, Actions, etc.) churn out container images, and then a distinct pipeline asynchronously generating disk images by polling the registry (cc #162 ). But anyways there again - it's simple, the pipeline itself just does a |
|
Or to say ⬆️ another way: all this "bib controlling pulls" superficially appears to work except when dealing with images that require authentication, in which case it's all just broken. And we shouldn't make the authenticated case feel broken. |
|
Just to zoom out a bit: The core problem is that we want to do authenticated pulls on the host from a container (bib). The usual pattern used in the wild is to mount the docker/podman socket inside your application container and control the host's container engine remotely. See e.g. watchtower. On the other hand, the socket approach isn't that common in the podman world (except for remote use-cases), it feels cumbersome to set up, and I actually don't know at all how it would work in case of podman machine. Additionally, bib doesn't only need to pull images, but it also needs access to the image's underlying layers, which means that even if wanted to experiment with using a socket, we would still need to mount the storage inside. I just wanted to mention sockets for the sake of completeness, but I fully acknowledge that this is not the right way. I think that having |
|
FWIW, I like the simplicity of limiting the behaviour of BIB to local containers only (no pulling ever) and letting the user take care of having the containers locally, either by building them or pulling them ahead of time. It reduces the complexity of the project as well as the mental load for users trying to wrap their heads around what BIB is doing when pulling, whether it needs authentication or not, etc. |
I don't think interacting with the socket helps, it gives the same semantics as just running the Things like watchtower will generally assume that you've configured the pull secret for the container image globally for the container engine, AFAICS. The problem is the Podman-machine case again; if you follow the default developer UX of running e.g. |
|
I agree simplify BIB and only work on local storage. Force the caller to pull the image first or build the image locally. |
This is a small POC to see how we can switch from using the
--localflag to--pullwhich is both more descriptive and more inline with how podman behaves. Thisis a breaking changechanges the existing behaviour, but it makes sense as it feels more intuitive and feels better from UX point-of-view.This PR introduces 3 cases:
--localflag)