Draft about tagging strategy #7
Conversation
This commit includes a suggestion about how to handle images tags using the SUSE Container Registry to deliver them. This is just an initial draft open to discussion.
|
I just see a caveat with that approach, what will happen with the derived images when the base updates. Say this example, you have And there is a This is just my point of view. Hope it makes sense. |
@chentex, yes your point of view makes sense. I realize I was no clear enough, the release numbers are related to the image, not to the package (in the example I just copied the release of mariadb package as an example, but this is confusing). So the mariadb:10.2.15-lp150.2.3.2, if rebuild the release part of the tag should be updated, regardless of the release of the mariadb package. Let's use a better numbering examples, the default build ID of images in OBS. Imagine we have |
|
Thanks for the explanation @davidcassany, I understand now. |
|
In general I like it but I see that we need a tool to know that there are new updates in the registry and to pull the new images. If we have such a tool, then this looks good. Otherwise, what about updating the manifest files but using the digest instead of a "generic tag"? |
| require a Kubernetes manifest update for each image update. The manifest could | ||
| be set to some stable mariadb version (e.g. 10.2) and still be updated if the | ||
| image requires a rebuild due some security fixes in the SLE base image or even | ||
| in mariadb itself. |
There was a problem hiding this comment.
I think we have to extend this section explaining that with Kubernetes we can write our manifests to reference the stable tag (eg <registry-domain>/mariadb:10.2) and specify a imagePullPolicy="Always" pull policy.
There was a problem hiding this comment.
We can do that - but it will result in having a "random mix" of builds running. Without a manifest change, kubernetes will not roll out a new build of an image. Setting imagePullPolicy=Always just means that, when a Pod happens to restart for some other reason, the latest image will be pulled.
Kubernetes best practice really is - use a image tag that is guaranteed to never change, and update your manifests when you want an updated image.
|
@davidcassany can you update the RFC with the clarification you gave to @chentex ? |
|
@jordimassaguerpla wrote:
For CaaSP specific containers we might want to write a piece of software that monitors the versions of the containers we actually own. Make sure they are using the latest version, if not force their update. All the other software stacks handle that in a different way. For example, software installed via Helm charts (like CAP) references specific digests of the images inside of their helm charts. The containers are updated to a more recent version by pushing out a new version of the chart. From a certain POV this shifts the problem to a higher level (how to figure out if there's a new version of the helm chart). I'm going to ping the CAP folks to shed some light on their current approach. |
|
BTW, the CAP guys are also using container image labels to add extra information to the images. AFAIK they are using them to track specific package versions, build origin, git commits,... This is something we might want to use as well to attach "invisible" (as in not as prominent as tags) details to our images. |
| ## Introduction | ||
|
|
||
| As SUSE starts delivering software shipped in containers accessible | ||
| from the [SUSE container registry](https://registry.suse.de). Images within the |
There was a problem hiding this comment.
That's the internal registry, the final one is going to be registry.suse.com.
There was a problem hiding this comment.
Yes, I know, just added it here because this link is browsable from SUSE network. We can remove the link if this is confusing. The registry.suse.com to me leads to a Connection refused error
There was a problem hiding this comment.
This is kubic-project - so maybe use registry.opensuse.org?
|
@flavio I already did here 9fc6d38 .
We can do that, I did not consider the usage of |
| used in Head project in IBS & OBS. | ||
|
|
||
| One of the advantages of using this strategy is that it does not necessarily | ||
| require a Kubernetes manifest update for each image update. The manifest could |
There was a problem hiding this comment.
Without a manifest update, Kubernetes won't restart running containers with the new build of the image - I don't believe we can get away from doing this without hitting the problem you described above.
| require a Kubernetes manifest update for each image update. The manifest could | ||
| be set to some stable mariadb version (e.g. 10.2) and still be updated if the | ||
| image requires a rebuild due some security fixes in the SLE base image or even | ||
| in mariadb itself. |
There was a problem hiding this comment.
We can do that - but it will result in having a "random mix" of builds running. Without a manifest change, kubernetes will not roll out a new build of an image. Setting imagePullPolicy=Always just means that, when a Pod happens to restart for some other reason, the latest image will be pulled.
Kubernetes best practice really is - use a image tag that is guaranteed to never change, and update your manifests when you want an updated image.
| in RPMs. This way the update and delivery worklfow is the same as any other | ||
| packages. However within the containers ecosystem this presents some isssues: | ||
|
|
||
| * Containers ecosystems based on Kubernetes are not disigned to interact with |
|
|
||
| `kiwi` and `skopeo` tools can build images with multiple tags (since versions | ||
| 9.15.3 and 1.30.0 respectively). Thus the main idea is to keep using stable | ||
| tags to facilitate image references in manifests but also tag images in |
There was a problem hiding this comment.
Thus the main idea is to keep using stable tags to facilitate image references in manifests
Currently, we don't reference "stable" tags - we reference the most specific tag available (i.e. the one that includes the build service's build number). Otherwise, we would have hit the problem you described above :)
There was a problem hiding this comment.
Oh I was not aware that there was a manifest rebuild for each image rebuild, I did not see this part of the chain...
There was a problem hiding this comment.
It's not baked into the build service, it's currently happening on boot: https://github.com/kubic-project/caasp-container-manifests/blob/master/admin-node-setup.sh#L12-L45
(and, on boot works only because they are currently RPMs and tx-update means a reboot)
| caasp/mariadb 10.2 1ade07d13d13 | ||
| caasp/mariadb latest 1ade07d13d13 | ||
| caasp/mariadb 10.2.15-3.2 1ade07d13d13 | ||
| ``` |
There was a problem hiding this comment.
This looks perfect to me, where CaaSP manifests would reference the 10.2.15-3.2 tag. The others, at least for CaaSP, would be unused.
There was a problem hiding this comment.
Well I was suggesting to use 10.2 for CaaSP instead and delegate to some other piece of sotfware to track the versions in the registry in order to raise a flag if new image is available. The idea was not causing a manifest rebuild for each image rebuild as this will cause tons of manifest updates.
Currently all KIWI container images include a label Also, if we have a clear understanding of which environment variables should be included as labels it should be easy from the build service to include them. We prepared KIWI for that not long ago: |
|
|
||
| Before SUSE container registry images have been and are being delivered wrapped | ||
| in RPMs. This way the update and delivery worklfow is the same as any other | ||
| packages. However within the containers ecosystem this presents some isssues: |
| checks if those images are available locally and if not pulls them from the | ||
| registry. It means that if an image reference is overwritten with the same | ||
| reference Kubernetes will not pull it again and then images of a running | ||
| cluster start to diverge from the images available into the registry. |
|
While this is the kubic-project, the RFC repository is used for both SUSE
CaaS Platform and Kubic. Addressing SUSE CaaS Platform only needs is fine
here. But indeed, question is whether we have to add any Kubic specifics as
well here.
…On Fri, Aug 10, 2018 at 12:13 PM Fabian Vogt ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In 2018/001-containers-tagging-strategy.md
<#7 (comment)>:
> @@ -0,0 +1,189 @@
+# Containers Tagging Strategy
+
+| Field | Value |
+|:-------|:-----------|
+| Status | Draft |
+| Date | 2018-08-8 |
+
+## Introduction
+
+As SUSE starts delivering software shipped in containers accessible
+from the [SUSE container registry](https://registry.suse.de). Images within the
This is kubic-project - so maybe use registry.opensuse.org?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#7 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABB40ORio-zQlIhlOI1y0XRaCzJf5Zhks5uPVzigaJpZM4VzYaF>
.
--
Andreas Jaeger
[email protected]
http://andreasjaeger.blogspot.com
|
|
From my POV the main goal of this RFC is to get us away from doing nasty hacks like the https://github.com/kubic-project/caasp-container-manifests/blob/master/admin-node-setup.sh#L12-L45 described by @kiall. Instructing Kubernetes to always pull can ensure the latest stable version of an image is pulled whenever a new container is about to run, however does not help with already running ones. Referencing specific versions of the images will help with freshly started containers and already running ones. However that moves the problem on the generation of the manifests, because they have to be constantly changed to specific the latest version of the images available. How can we solve that without resorting to the current hack? |
|
@flavio / @davidcassany - how about we split this out into two documents. Doc #1 Tagging and so on. Doc #2 Consumption of those tags for our usage. I think the pieces in here related to #1 are perfect, and implementation wise, are entirely separate. Lets get that out, and work on the consumption from kubernetes separately? |
Sounds good to me |
davidcassany
force-pushed
the
tagging_strategy
branch
from
d2bf44c
to
eff8e84
Compare
davidcassany
force-pushed
the
tagging_strategy
branch
from
eff8e84
to
d4e846c
Compare
With this commit the scope of the document is reduced and it is only considered how images are finally tagged into the registry. How are they consumed is out of the scope of the document.
davidcassany
force-pushed
the
tagging_strategy
branch
from
d4e846c
to
7a5a601
Compare
This commit includes a suggestion about how to handle images tags
using the SUSE Container Registry to deliver them. This is just an
initial draft open to discussion.
Rendered version here