Skip to content

Pull policy for build does not follow documentation #22845

New issue
New issue
Open
#27005
Open
Pull policy for build does not follow documentation#22845
#27005
Labels
kind/bugCategorizes issue or PR as related to a bug.
@computator

Description

@computator
computator
opened on May 30, 2024

Issue Description

The documentation for the image pull policy specifies several different options, but not all of them seem to be effective. In particular, the --pull=newer option for podman build is ignored and it instead uses the missing policy. This seems to be due to this code block here:

podman/cmd/podman/common/build.go

Lines 308 to 323 in 920e583

// Allow for --pull, --pull=true, --pull=false, --pull=never, --pull=always
// --pull-always and --pull-never. The --pull-never and --pull-always options
// will not be documented.
pullPolicy := buildahDefine.PullIfMissing
if c.Flags().Changed("pull") && strings.EqualFold(strings.TrimSpace(flags.Pull), "true") {
pullPolicy = buildahDefine.PullAlways
}
if flags.PullAlways || strings.EqualFold(strings.TrimSpace(flags.Pull), "always") {
pullPolicy = buildahDefine.PullAlways
}
if flags.PullNever ||
strings.EqualFold(strings.TrimSpace(flags.Pull), "false") ||
strings.EqualFold(strings.TrimSpace(flags.Pull), "never") {
pullPolicy = buildahDefine.PullNever
}

The documentation for build references the shared pull.image snippet, which lists newer as a supported option. Checking the history, it appears as if the build documentation also listed newer as an option before things were split out into the shared snippet.

podman/docs/source/markdown/options/pull.image.md

Line 12 in 920e583

- **newer**: Pull if the image on the registry is newer than the one in the local containers storage. An image is considered to be newer when the digests are different. Comparing the time stamps is prone to errors. Pull errors are suppressed if a local image was found.

The flag help text for build also mentions newer, although according to the git blame for that it looks like it was updated in #20124 without checking the corresponding code.

podman/cmd/podman/common/build.go

Line 78 in 920e583

flag.Usage = `Pull image policy ("always/true"|"missing"|"never/false"|"newer")`

Steps to reproduce the issue

Steps to reproduce the issue

  1. Run podman --log-level debug build --pull=newer . to build a container.

Describe the results you received

Note in the log output that a policy of missing is used:

DEBU[0000] Pulling image docker.io/library/alpine (policy: missing)

Describe the results you expected

That the build process will pull newer images, as well as that the policy shown in the logs should look something like this:

DEBU[0000] Pulling image docker.io/library/alpine (policy: newer)

podman info output

host:
  arch: amd64
  buildahVersion: 1.35.3
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 99.74
    systemPercent: 0.11
    userPercent: 0.15
  cpus: 32
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: container
    version: "40"
  eventLogger: file
  freeLocks: 2048
  hostname: 614c3b085043
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.5.0-35-generic
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 27694116864
  memTotal: 33578401792
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.10.0-1.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.10.0
    package: netavark-1.10.3-3.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: crun-1.14.4-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.14.4
      commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240426.gd03c4e2-1.fc40.x86_64
    version: |
      pasta 0^20240426.gd03c4e2-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 2147479552
  swapTotal: 2147479552
  uptime: 1h 52m 10.00s (Approximately 0.04 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.13-1.fc40.x86_64
      Version: |-
        fusermount3 version: 3.16.2
        fuse-overlayfs: version 1.13-dev
        FUSE library version 3.16.2
        using FUSE kernel interface version 7.38
    overlay.mountopt: nodev,fsync=0
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 314419200000
  graphRootUsed: 226109505536
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 8
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.0.2
  Built: 1713312000
  BuiltTime: Wed Apr 17 00:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.1
  Os: linux
  OsArch: linux/amd64
  Version: 5.0.2

Podman in a container

Yes

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

This is the latest podman container run via podman run --rm -it --privileged quay.io/podman/stable, however it acts identically on the host running podman 4.6.2.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions