Human-readable date-based image suffixes

[cevich]

Historically, the ID used to identify a set of images was taken from the
Cirrus-CI build ID. This was done to make auditing easier, since one
can easily retrieve the build logs using the ID. However, there are
many disadvantages to using the build id:

• It's not human-readable, making it difficult to ascertain exactly when
  the images were built.
• It's not guaranteed to be incremental, and therefore cannot be
  utilized as a "version".
• It doesn't convey helpful information like when it was produced, or
  which release of Fedora is included in the set.

For these and other reasons, switch to a simple date-based image suffix
encoded in a repository file. Include a UTC-baesd timestamp to avoid
value collisions, and a string identifying what OS's releases were built.

[cevich]

Right....cirrus.yml has references to $IMG_SFX all over the place, and there's no way to pull the value from the Makefile 😢

[cevich]

@edsantiago This is not urgent, but I could use a second pair of eyes early on.

Big-picture: My eventual goal is to have renovate manage opening vm-image update PRs for us. For that to work, we need image-suffixes resembling version-numbers that sort properly, and can be git tag into this repo. Before you ask - "no" the current values are not guaranteed to be incremental.

So this PR is a first-step in that direction...but as usual, it's complicated 😞

The major change here so far, is that Cirrus will read a $IMG_SFX "version" value in from a file in the repo. The file can be generated (and updated) by make IMG_SFX. However, since it's date-based (for human readability), there can be clashes[0]. I added a v0 field that can be incremented to help avoid them, but this is less than ideal[1].

In short, with this PR, the new "build a new set of images" workflow would go like:

1. Run make IMG_SFX.
2. Manually verify there are/were no other open image-update PRs that used the same suffix value - this could be an automated check eventually, but that's for later.
3. If there is a clash, edit IMG_SFX file and bump the v0 number to prevent it.
4. Push PR and wait.
5. Assuming success, github-action prints table of built images.
6. Update downstream .cirrus.yml to use the new suffix,
   e.g. IMAGE_SUFFIX = c230118v0-f37p36u2204

Does this sound mostly sane so far?

Do you think it's helpful to include the OS revisions in the ID?

---

[0]Note: A IMG_SFX clash is potentially really very bad. At best it will clobber existing images from somebody else's PR. At worst it will break somebody's active (still building) images or images already in use by downstream CI (eek!).

[1]Note: There are character and size limitations to the IMG_SFX value. I'd prefer to keep it human readable if possible, but an option could be to swap the OS-versions part for a short git-commit hash to prevent clashes.

[cevich]

force-push change summary:

• Clarified README.md changes further
• Added '-' separator between distro versions in IMG_SFX format
• Added hours/minutes/seconds value to IMG_SFX format
• Moved validation commands into validate.sh w/ helpful failure messages.

[github-actions]

Cirrus CI build successful. Found built image names and IDs:

Stage	Image Name	IMAGE_SUFFIX
base	fedora	b230119-131309-f37-f36-u2204
base	fedora-aws	b230119-131309-f37-f36-u2204
base	fedora-aws-arm64	b230119-131309-f37-f36-u2204
base	image-builder	b230119-131309-f37-f36-u2204
base	prior-fedora	b230119-131309-f37-f36-u2204
base	ubuntu	b230119-131309-f37-f36-u2204
cache	build-push	c230119-131309-f37-f36-u2204
cache	fedora	c230119-131309-f37-f36-u2204
cache	fedora-aws	c230119-131309-f37-f36-u2204
cache	fedora-netavark	c230119-131309-f37-f36-u2204
cache	fedora-netavark-aws-arm64	c230119-131309-f37-f36-u2204
cache	fedora-podman-aws-arm64	c230119-131309-f37-f36-u2204
cache	fedora-podman-py	c230119-131309-f37-f36-u2204
cache	prior-fedora	c230119-131309-f37-f36-u2204
cache	ubuntu	c230119-131309-f37-f36-u2204
cache	win-server-wsl	c230119-131309-f37-f36-u2204

[cevich]

w00t! 🎉

[Luap99]

I find it very hard to read this custom date format. Any reason to not just use the iso 8601 format? Also looks like the time is in the local timezone? I would prefer UTC.

Lastly would it make sense to encode the automation_images PR number in that ID? In case something broke it will be easy to find the correct PR here.

[cevich]

@Luap99 Using UTC is a good suggestion. Thanks.

I'm fairly limited in the character set and length for the image names. It's about 45 lower-case letters, numbers, and '-'. That's it. So I'm afraid a delimited date/time wouldn't look much better:

23-01-19-13-13-09-f37-f36-u2204

what about if I stuck a full year, and t in there in they style of 8601, so:

2023-01-19t13-13-09-f37-f36-u2204

any better?

[cevich]

Also keep in mind, it's not expected for humans to be reading/decoding this ID very much. Maybe once a month or so on average, if that. So I think some amount of ugliness is probably okay.

[cevich]

Hmmm. I think all the - actually make it harder to read. What about:

20230120-151738-f37f36u2204 (eventually will be d11 on the end)

[Luap99]

@Luap99 Using UTC is a good suggestion. Thanks.

I'm fairly limited in the character set and length for the image names. It's about 45 lower-case letters, numbers, and '-'. That's it. So I'm afraid a delimited date/time wouldn't look much better:

23-01-19-13-13-09-f37-f36-u2204

what about if I stuck a full year, and t in there in they style of 8601, so:

2023-01-19t13-13-09-f37-f36-u2204

any better?

20230120T141842Z would be also work for me and iso 8061

I don't really need the dashes, the full year alone is enough for my brain to recognize this as date.

[cevich]

SGTM

[cevich]

Upper-case characters aren't supported, but I still think this works okay:

20230120t152650z-f37f36u2204

The real trick will be seeing if I can teach renovate how to interpret that as a version number.

[Luap99]

yeah that works for me as well, I really like the idea behind this.

[cevich]

I really like the idea behind this.

Ya, me too. I think it was actually @edsantiago that suggested it a few years ago ☺️ The thing that's motivating me is: Renovate will be able to post image-update PRs, just based on tagging one of these "versions" in this repo. I'm working on a POC in containers/automation_sandbox right now, as I write this.

[cevich]

W00t, it's working: containers/automation_sandbox#97

[github-actions]

Cirrus CI build successful. Found built image names and IDs:

Stage	Image Name	IMAGE_SUFFIX
base	fedora	b20230120t152650z-f37f36u2204
base	fedora-aws	b20230120t152650z-f37f36u2204
base	fedora-aws-arm64	b20230120t152650z-f37f36u2204
base	image-builder	b20230120t152650z-f37f36u2204
base	prior-fedora	b20230120t152650z-f37f36u2204
base	ubuntu	b20230120t152650z-f37f36u2204
cache	build-push	c20230120t152650z-f37f36u2204
cache	fedora	c20230120t152650z-f37f36u2204
cache	fedora-aws	c20230120t152650z-f37f36u2204
cache	fedora-netavark	c20230120t152650z-f37f36u2204
cache	fedora-netavark-aws-arm64	c20230120t152650z-f37f36u2204
cache	fedora-podman-aws-arm64	c20230120t152650z-f37f36u2204
cache	fedora-podman-py	c20230120t152650z-f37f36u2204
cache	prior-fedora	c20230120t152650z-f37f36u2204
cache	ubuntu	c20230120t152650z-f37f36u2204
cache	win-server-wsl	c20230120t152650z-f37f36u2204

[edsantiago]

High-level: wow, fantastic work, thank you. This is beautiful and will be much appreciated.

Low level: whewwwwww, thanks for your patience. A lot to learn and understand. I have one (possibly invalid) concern, and one question.

[cevich]

whewwwwww, thanks for your patience

No worries, as always I appreciate the oversight MUCH more than I dislike waiting 😄