Support force pulls

[AstraLuma]

Description

Currently there does not seem to be a way to force buildah pull to go an check a registry for a fresh copy of a container.

Steps to reproduce the issue:

• buildah pull --creds not:valid debian
• strace buildah pull debian
• buildah pull --help

Describe the results you received:

None of these give any indication that buildah pull will perform network activity if the image is already available locally.

Describe the results you expected:

An option (eg --force or --always-check) to go and check a registry, even if the image is available locally.

Output of rpm -q buildah or apt list buildah:

🐚 apt list buildah                                                                                                                           
Listing... Done
buildah/unknown,now 1.14.8~1 amd64 [installed]
buildah/unknown 1.14.8~1 arm64
buildah/unknown 1.14.8~1 armhf
buildah/testing 1.11.6-1 i386
buildah/unknown 1.14.8~1 ppc64el

Output of buildah version:

🐚 buildah version                                                                                                                            
Version:         1.14.8
Go Version:      go1.14.2
Image Spec:      1.0.1-dev
Runtime Spec:    1.0.1-dev
CNI Spec:        0.4.0
libcni Version:  
image Version:   5.4.3
Git Commit:      
Built:           Fri Apr 17 23:57:07 2020
OS/Arch:         linux/amd64

*Output of `cat /etc/release`:**

🐚 cat /etc/*release                                                                                                                          
PRETTY_NAME="Debian GNU/Linux bullseye/sid"
NAME="Debian GNU/Linux"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Output of uname -a:

🐚 uname -a                                                                                                                                   
Linux cayde7 5.5.0-2-amd64 #1 SMP Debian 5.5.17-1 (2020-04-15) x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:

# This file is is the configuration file for all tools
# that use the containers/storage library.
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver
driver = ""

# Temporary storage location
runroot = "/var/run/containers/storage"

# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"

# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"

[storage.options]
# Storage options to be passed to underlying storage drivers

# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
]

# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to the UIDs/GIDs as they should appear outside of the container,
# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
# listed and will be heeded by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a
# container.
#
# remap-uids = 0:1668442479:65536
# remap-gids = 0:1668442479:65536

# Remap-User/Group is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
# with an in-container ID of 0 and then a host-level ID taken from the lowest
# range that matches the specified name, and using the length of that range.
# Additional ranges are then assigned, using the ranges which specify the
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
# until all of the entries have been used for maps.
#
# remap-user = "containers"
# remap-group = "containers"

# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partioned
# to containers configured to create automatically a user namespace.  Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
# auto-userns-max-size=65536

[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids.  Note multiple UIDs will be
# squashed down to the default uid in the container.  These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
#ignore_chown_errors = false

# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#mount_program = "/usr/bin/fuse-overlayfs"

# mountopt specifies comma separated list of extra mount options
mountopt = "nodev"

# Size is used to set a maximum size of the container image.
# size = ""

[storage.options.thinpool]
# Storage Options for thinpool

# autoextend_percent determines the amount by which pool needs to be
# grown. This is specified in terms of % of pool size. So a value of 20 means
# that when threshold is hit, pool will be grown by 20% of existing
# pool size.
# autoextend_percent = "20"

# autoextend_threshold determines the pool extension threshold in terms
# of percentage of pool size. For example, if threshold is 60, that means when
# pool is 60% full, threshold has been hit.
# autoextend_threshold = "80"

# basesize specifies the size to use when creating the base device, which
# limits the size of images and containers.
# basesize = "10G"

# blocksize specifies a custom blocksize to use for the thin pool.
# blocksize="64k"

# directlvm_device specifies a custom block storage device to use for the
# thin pool. Required if you setup devicemapper.
# directlvm_device = ""

# directlvm_device_force wipes device even if device already has a filesystem.
# directlvm_device_force = "True"

# fs specifies the filesystem type to use for the base device.
# fs="xfs"

# log_level sets the log level of devicemapper.
# 0: LogLevelSuppress 0 (Default)
# 2: LogLevelFatal
# 3: LogLevelErr
# 4: LogLevelWarn
# 5: LogLevelNotice
# 6: LogLevelInfo
# 7: LogLevelDebug
# log_level = "7"

# min_free_space specifies the min free space percent in a thin pool require for
# new device creation to succeed. Valid values are from 0% - 99%.
# Value 0% disables
# min_free_space = "10%"

# mkfsarg specifies extra mkfs arguments to be used when creating the base
# device.
# mkfsarg = ""

# Size is used to set a maximum size of the container image.
# size = ""

# use_deferred_removal marks devicemapper block device for deferred removal.
# If the thinpool is in use when the driver attempts to remove it, the driver
# tells the kernel to remove it as soon as possible. Note this does not free
# up the disk space, use deferred deletion to fully remove the thinpool.
# use_deferred_removal = "True"

# use_deferred_deletion marks thinpool device for deferred deletion.
# If the device is busy when the driver attempts to delete it, the driver
# will attempt to delete device every 30 seconds until successful.
# If the program using the driver exits, the driver will continue attempting
# to cleanup the next time the driver is used. Deferred deletion permanently
# deletes the device and all data stored in device will be lost.
# use_deferred_deletion = "True"

# xfs_nospace_max_retries specifies the maximum number of retries XFS should
# attempt to complete IO when ENOSPC (no space) error is returned by
# underlying storage device.
# xfs_nospace_max_retries = "0"

[AstraLuma]

Note that podman pull does always check the registry (eg podman pull --creds not:valid debian will always fail).

[TomSweeneyRedHat]

@astronouth7303 thanks for the issue. Just to make sure I'm on the same page, you used for the creds in the example not:valid but when running the test you used valid creds right? I just want to make sure the creds aren't wrapped up into this somehow. Out of curiosity, did you try creating a Dockerfile with these contents:

FROM debian

and then doing buildah bud --layers --pull-always . and podman build --pull-always . ?

I think those should be equivalent and should pull the image.

[AstraLuma]

@astronouth7303 thanks for the issue. Just to make sure I'm on the same page, you used for the creds in the example not:valid but when running the test you used valid creds right? I just want to make sure the creds aren't wrapped up into this somehow.

Nope! The point was to use invalid credentials so that if the pull did hit a server, it would cause an error. buildah pull --creds not:valid will succeed if the image already exists, implying that the registry never checked the credentials (because if it had, it would have rejected them and the pull will fail).

I also used strace to validate that buildah wasn't making internet connections.

... and then doing buildah bud --layers --pull-always . and podman build --pull-always . ?

I think those should be equivalent and should pull the image.

Yeah, those will force the pull, with bad ux. They're just kinda awkward and involve a bunch of work (make a tempdir, write out Dockerfile, run bud, parse output, cleanup).

The context of this request is that I'm working on code to cache a build environment: Pull a base image, install packages, tag based on the requested packages for later use. I would like to implement a policy where I pull a fresh upstream version and see if it's changed.

(And the context for that is that I'm currently doing containerized builds on a Raspberry Pi, where IO is painfully slow, so even just spinning up extra containers has measurable performance impact.)

[AstraLuma]

Note that the other use of buildah pull could be "Resolve this image name into an ID", because it outputs just the ID and you don't need to do additional parsing.

buildah inspect also does this, just outputs a big JSON blob instead of a single line. The usability of this varies dramatically based on how you're calling buildah. (eg, Python is easy. Bash would need jq.)

[rhatdan]

@TomSweeneyRedHat Are you still looking at this one? Is the rework on podman pull enough to satisfy @astronouth7303 needs?

[TomSweeneyRedHat]

@rhatdan I've not gotten back to this. We could sping this off to someone else if you want.

[rhatdan]

This is fixed, I believe in the current podman(3.0) and Buildah 1.19.3.