Verify all stages of an image [which rickshaw sourced/built with workshop] are not stale

[atheurer]

It is possible that the "base" image, the container image specified in a userenv, can be updated without our knowledge. For example, a stream:9 image which now has libraries updated for bug fixes, or a nvidia-cuda:latest image which has python libraries updated. When we expired images every two weeks, this was not a big issue, but now that we don't expire for a year, we may run into situations where the base image is "stale".

To remedy this, we need to, for all stages in a image, compare the manifest of the container image we have to the manifest of the container image at its source, and if there is a difference, rebuild (with pull --always) the image. This needs to be done even if the final image:tag we need matches locally or even in the container registry.

[k-rister]

I've looked into this a bit and I don't think it would be terribly difficult to add the digest of the image that we are basing a build off of to the config dump (that is then used by rickshaw to compute it's tags). If that base image changes then it's digest will change and then the correspond config dump will change and the calculated tag would change.

[k-rister]

Lots of work being done for this issue here: https://github.com/perftool-incubator/workshop/pull/84

[k-rister]

This is taken care of by the build-policy property in the userenv.