Untag instead of force remove image for podman

ansible / ansible-runner

A tool and python library that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported. The goal is to provide a stable and consistent interface abstraction to Ansible.

Other

969 stars 357 forks source link

Untag instead of force remove image for podman #1342

Closed TheRealHaoLiu closed 8 months ago

TheRealHaoLiu commented 8 months ago

⚠️ Warning: this PR will cause the behavior to deviate from name of the param --remove-images that runs this code ⚠️

This is a behavioral change (and hopefully for the better) now cleanup_images will behave the same for podman and docker

docker rmi will just untag while podman rmi will untag and remove layers and cause runing container to be killed for podman we use untag to achieve the same behavior

this only untag the image and does not delete the image prune_images need to be call to delete

nitzmahone commented 8 months ago

I get why people want builder to do rmi (though still ill-advised), but why is runner managing images at all? At least under modern podman, just running container instances shouldn't be creating new images.

shanemcd commented 8 months ago

@nitzmahone I was asking myself the same thing. I think it was added to ansible-runner because that's the only thing other than receptor we install on execution nodes, which is where we need to run this.

AlanCoding commented 8 months ago

My 2 cents - runner is effectively acting as a command allow-list here. If we could ship an arbitrary python file or bash script, it could be done that way, but perhaps, less securely. In the receptor mesh, the control nodes are only allowed to run ansible-runner worker commands. So we have to go through ansible-runner for anything AWX needs to run.