Identifying container images by digest only #14185
Conversation
enoodle
force-pushed
the
better_identify_container_images
branch
2 times, most recently
from
22a60e8 to
be1c581
Compare
|
@enoodle what labels are relevant for this PR? |
|
@miq-bot add_label bug providers/containers |
|
@enoodle Cannot apply the following label because they are not recognized: bug container |
|
@cben @moolitayer @zakiva please review |
|
@enoodle Cannot apply the following label because they are not recognized: bug providers/containers |
|
|
||
| @data[:container_images].each do |ns| | ||
| @data_index.store_path(:container_images, :by_name, ns[:name], ns) | ||
| @data_index.store_path(:container_images, :by_image_ref, ns[:image_ref], ns) |
There was a problem hiding this comment.
I couldn't find any use of these.
| @@ -174,7 +168,7 @@ def parse_env_variables(env_variables) | |||
| def parse_openshift_image(openshift_image) | |||
| id = openshift_image[:dockerImageReference] || openshift_image[:metadata][:name] | |||
| ref = "#{ContainerImage::DOCKER_PULLABLE_PREFIX}#{id}" | |||
| new_result = parse_container_image(id, ref) | |||
| new_result = parse_container_image(id, ref).merge!({:image_ref => ref}) | |||
There was a problem hiding this comment.
not that important but I think:
.merge(:image_ref => ref)
should do the same
There was a problem hiding this comment.
I don't want to create a new object but to change the current one. (That I receive from @data[:container_images][...] )
| @@ -772,7 +768,7 @@ def parse_image_name(image, image_ref) | |||
| { | |||
| :name => image_parts[:name], | |||
| :tag => image_parts[:tag], | |||
| :digest => image_parts[:digest] || (image_ref_parts[:digest] if image_ref_parts), | |||
| :digest => image_parts[:digest] || (image_ref_parts[:digest] if image_ref_parts) || "", | |||
There was a problem hiding this comment.
Just curious, why did you want to change the empty value from nil to empty string?
(given that #{nil} is an empty string)
There was a problem hiding this comment.
I didn't know that. Also at the beginning I thought of saving the images in @data_index[:container_images][:by_repository][...][:by_name][..][:by_digest][..] so it made sense. I left this to allow easier iteration over the images in @data_index[:container_images]` . I will revert this change now as it seems confusing.
enoodle
force-pushed
the
better_identify_container_images
branch
from
be1c581 to
1996084
Compare
|
@enoodle any repercussion on existing images? E.g. after we merge this, in existing deployments out there, what will happen? Many images will result as "deleted"? |
|
@simon3z With systems with docker prior to 1.12, without the |
@enoodle OK. Also there are still clusters out there with docker older that 1.12 what will happen to those ones when this code is merged? |
|
@simon3z They currently may have duplicated images which will be deleted. |
enoodle
force-pushed
the
better_identify_container_images
branch
from
1996084 to
65d0568
Compare
enoodle
changed the title
enoodle
force-pushed
the
better_identify_container_images
branch
from
65d0568 to
bdccfb9
Compare
|
@enoodle did you update this with the things we discussed this afternoon? If so we can go over this together tomorrow. |
enoodle
force-pushed
the
better_identify_container_images
branch
from
bdccfb9 to
7c27144
Compare
|
@simon3z Yes, This will only identify images by the digest if they have the "docker-pullable://" prefix. Otherwise they will identified by their reference ("docker://..."). the full image name (that is also sent to image-inspection) is also determined from the docker-pullable value if it is present. Edit: |
The image-ref is not a reliable source to identify images when it comes from the docker daemon (in the docker://... form). This will identify the images from the information that we can parse. Doing so will also enable us to commit the images to the @DaTa hash when we identify the images instead from a collection function (get_images), which will simplify image collection from Openshift.
enoodle
force-pushed
the
better_identify_container_images
branch
from
7c27144 to
f03a2fd
Compare
|
cc @blomquisg We would like to review/merge this ASAP before the pending freeze. |
|
Checked commit enoodle@f03a2fd with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0 app/models/manageiq/providers/kubernetes/container_manager/refresh_parser.rb
spec/models/manageiq/providers/openshift/container_manager/refresh_parser_spec.rb
|
|
@simon3z I tested SSA with this PR on both |
|
@simon3z I am not sure what this means. The older docker daemon only returns the reference in one way |
|
LGTM 👍 |
|
@enoodle there is a conflict backporting this to Euwe. The Please let me know if it can, or if |
|
@enoodle please handle this ASAP on Sunday (Euwe backport conflict). |
|
Backported to Euwe via #14396 |
The image-ref is not a reliable source to identify images when it comes
from the docker daemon (in the docker://... form). This will identify
the images from the information that we can parse.
Doing so will also enable us to commit the images to the @DaTa hash when
we identify the images instead from a collection function (get_images),
which will simplify image collection from Openshift.
This will only identify images by the digest if they have the "docker-pullable://" prefix. Otherwise they will identified by their reference ("docker://..."). The full image name (that is also sent to image-inspection) is also determined from the docker-pullable value if it is present.
The only tricky point I identified is when the docker daemon sends "docker://" prefix but the images came from openshift (from the build process for example) and its name has the "docker-pullable://" prefix. In this case I reconstructed the reference from the available information about the image. [1]
[1]https://github.com/ManageIQ/manageiq/pull/14185/files#diff-0324981fdb3019ce6d98f9c86d97f2bbR769
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1428320