Pull policy for build does not follow documentation

computator commented 4 months ago

Issue Description

The documentation for the image pull policy specifies several different options, but not all of them seem to be effective. In particular, the --pull=newer option for podman build is ignored and it instead uses the missing policy. This seems to be due to this code block here: https://github.com/containers/podman/blob/920e583b2493fa223a09c92caca800bb18e8b893/cmd/podman/common/build.go#L308-L323 The documentation for build references the shared pull.image snippet, which lists newer as a supported option. Checking the history, it appears as if the build documentation also listed newer as an option before things were split out into the shared snippet. https://github.com/containers/podman/blob/920e583b2493fa223a09c92caca800bb18e8b893/docs/source/markdown/options/pull.image.md?plain=1#L12

The flag help text for build also mentions newer, although according to the git blame for that it looks like it was updated in #20124 without checking the corresponding code. https://github.com/containers/podman/blob/920e583b2493fa223a09c92caca800bb18e8b893/cmd/podman/common/build.go#L78

Steps to reproduce the issue

Run podman --log-level debug build --pull=newer . to build a container.

Describe the results you received

Note in the log output that a policy of missing is used:

DEBU[0000] Pulling image docker.io/library/alpine (policy: missing)

Describe the results you expected

That the build process will pull newer images, as well as that the policy shown in the logs should look something like this:

DEBU[0000] Pulling image docker.io/library/alpine (policy: newer)

podman info output

host:
  arch: amd64
  buildahVersion: 1.35.3
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 99.74
    systemPercent: 0.11
    userPercent: 0.15
  cpus: 32
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: container
    version: "40"
  eventLogger: file
  freeLocks: 2048
  hostname: 614c3b085043
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.5.0-35-generic
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 27694116864
  memTotal: 33578401792
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.10.0-1.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.10.0
    package: netavark-1.10.3-3.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: crun-1.14.4-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.14.4
      commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240426.gd03c4e2-1.fc40.x86_64
    version: |
      pasta 0^20240426.gd03c4e2-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 2147479552
  swapTotal: 2147479552
  uptime: 1h 52m 10.00s (Approximately 0.04 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.13-1.fc40.x86_64
      Version: |-
        fusermount3 version: 3.16.2
        fuse-overlayfs: version 1.13-dev
        FUSE library version 3.16.2
        using FUSE kernel interface version 7.38
    overlay.mountopt: nodev,fsync=0
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 314419200000
  graphRootUsed: 226109505536
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 8
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.0.2
  Built: 1713312000
  BuiltTime: Wed Apr 17 00:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.1
  Os: linux
  OsArch: linux/amd64
  Version: 5.0.2

Podman in a container

Yes

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

This is the latest podman container run via podman run --rm -it --privileged quay.io/podman/stable, however it acts identically on the host running podman 4.6.2.

github-actions[bot] commented 3 months ago

A friendly reminder that this issue had no activity for 30 days.

computator commented 2 months ago

Not sure if we still need to comment to un-stale these? This is still an issue though

rhatdan commented 2 months ago

Interested in opening a PR to fix?

containers / podman