atomic icon indicating copy to clipboard operation
atomic copied to clipboard
verified publisher icon projectatomic

Consider changing how 'atomic verify' operates with image tags

Open miabbott opened this issue 9 years ago • 3 comments

Currently, atomic verify will return 0 when the argument to the command is an image with a specific tag and there is no update image locally.

# docker images
REPOSITORY                                 TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry.access.redhat.com/rhel7           7.2-44              18c92348de36        4 weeks ago         203.2 MB
registry.access.redhat.com/rhel7/rsyslog   7.2-15              8d1bae48a7c5        5 weeks ago         215.7 MB
# atomic verify registry.access.redhat.com/rhel7:7.2-44
# echo $?
0

In this case, we know there is an updated image on the registry, but atomic verify is just looking for an updated version of that specific tag.

When the updated image is pulled locally, the command returns a message about the updated layer.

# docker images
REPOSITORY                                 TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry.access.redhat.com/rhel7           latest              bf63a676257a        2 weeks ago         203.2 MB
registry.access.redhat.com/rhel7           7.2-44              18c92348de36        4 weeks ago         203.2 MB
registry.access.redhat.com/rhel7/rsyslog   7.2-15              8d1bae48a7c5        5 weeks ago         215.7 MB
# atomic verify registry.access.redhat.com/rhel7:7.2-44

registry.access.redhat.com/rhel7:7.2-44 contains images or layers that have updates:

      'rhel7/rhel-7.2-46' has an update to 'rhel7/rhel-7.2-44'

When discussing this with @baude, we did not agree on the best way to handle the case of the explicit tag. There were three proposals we discussed.

  • Current behavior

This is very explicit, in that if a user passes a specific image:tag to atomic verify, the tool searches the registry for an updated version of that specific image:tag combination. This could be confusing to users because they may never be notified of an updated version of the image that may be tagged as image:tag+1 on the registry.

  • Enhanced registry searching

In this scenario, the user could pass an explicit image:tag or just image and would get the notification if their was an updated version on the registry.

  • Disallow use of explicit tags

We could force the user to just pass in the image as an argument and return an error if an explicit tag is provided. We may want to make an exception for the :latest tag that is commonly used.

I'm kind of in favor the second option, as I think it would make the user experience as easy as possible and assume that users will pass in an explicit tag and expect a notification about an updated image.

miabbott avatar Mar 18 '16 15:03 miabbott

I like 2 also. But I am concerned about certain use cases.

atomic verify fedora:23

Should not say that there is a new fedora 24 version available.

rhatdan avatar Mar 18 '16 15:03 rhatdan

Cleaning up Atomic issues.

@miabbott Can I close this or is this still something you want to change?

rhatdan avatar Oct 11 '16 11:10 rhatdan

@rhatdan I still think the second option presented in the first comment has merits. And now that we have skopeo and the ability to inspect remote registries, we can do the on-demand verification that there is an updated image available on the registry.

miabbott avatar Oct 11 '16 19:10 miabbott