Easiest way to execute a command like `docker run <image> <cmd>` and to update images and instances with Incus

Incus
, ,
1

I’ve been running OCI instances with Incus for some time now and I’m wondering if there is an easier way to accomplish some common tasks.

Launching an instance with a command

Some images, like the Skopeo image, are meant to be launched with a command (with Docker: docker run --rm <image> [command]) When using images like this with Incus, I either have to get the entrypoint (for example /usr/bin/skopeo) and then set a new value with the command appended (for example -c oci.entrypoint="/usr/bin/skopeo --help") and launch the instance or to set it to /bin/sh, launch the instance and then execute the command.

Is there an easier way?

Updating images and instances

To update an instance in Incus, I do the following:

First I try get the image fingerprint with incus image list. If the image is still cached (that is, if images.remote_cache_expiry has not been exceeded), I update it with incus image refresh.

If the image isn’t cached anymore, I create and then remove a temporary instance: incus create <remote>:<image> tmp --ephemeral && incus remove tmp.

Then I need to replace the instance. To replace ephemeral instances, I run and incus create <remote>:<image> <instance> --ephemeral && incus remove <instance>. With non-ephemeral instances, I could run incus rebuild <remote>:<image> <instance>.

Is there an easier way to accomplish this using incus commands alone?

Setting a high value for images.remote_cache_expiry makes it possible to use incus image refresh in most cases (the command requires the image fingerprint, it seems). Though with ephemeral instances I can’t use incus rebuild. The documentation doesn’t say whether the image auto-update feature is available for OCI images, but I assume it isn’t.

I’d also be interested in other ways to manage multiple OCI instances with Incus and keep them updated.

Determining which image (from a remote registry) an instance is currently using

incus image config show <image> returns a SHA256 fingerprint, but I assume this is the fingerprint of the image (file) that Incus generates. At least I don’t see the same fingerprint anywhere in the output of skopeo inspect (from the remote registry) or any other image fingerprint in Incus.

My solution for now is to refresh the image if it’s still cached, or fetch it by creating a temporary instance (as described above). Then I compare the image fingerprint and the instance’s volatile.base_image value. If they differ, I replace the instance.

I haven’t been able to find any logs from Skopeo (executed by Incus) that tell me which image was fetched.

Again, my question is whether there is an easier way to accomplish this. Is the fingerprint of the image the Skopeo fetched from the remote registry accessible anywhere?