Incus/tofu: Keeping (oci) images updated

Pricey · October 31, 2024, 2:48pm

I’m following the incus_image example-usage for some containers e.g:

resource "incus_image" "go-vod" {
  source_image  = {
    remote = "docker"
    name = "radialapps/go-vod"
  }
}

resource "incus_instance" "go-vod" {
    name      = "go-vod"
    image     = incus_image.go-vod.fingerprint
    ephemeral = false
}

I would like to periodically update the images and restart new containers based on them.

Currently, I do something like the following, with a -replace for each instance:

tofu apply -replace="incus_image.go-vod"

This isn’t satisfying as it replaces all images & containers, regardless of whether the image has been updated upstream since it was last fetched.

Is there a better way?

jarrodu · October 31, 2024, 3:14pm

It has been a while since I worked with the Incus Tofu provider. The way I would normally solve this problem is by using a data source that would expose the image fingerprints from the source image.

I took a look at the provider and played around a bit. It looks like this data source is not implemented yet. Maybe submitting a feature request makes sense.

BTW: It is great to see some more Tofu users in the forums.

Pricey · October 31, 2024, 3:28pm

I should’ve looked for that earlier… turns out it has been merged and just needs releasing: image: Add image datasource by maveonair · Pull Request #131 · lxc/terraform-provider-incus · GitHub

Easy enough to install my own built version until then!

jarrodu · October 31, 2024, 3:37pm

I hope it works the way I am thinking. The OCI part of the question might complicate things. I don’t remember how Incus deals with OCI and Incus image fingerprints. They are different things.

Pricey · October 31, 2024, 3:38pm

After pulling & building main, attempting:

data "incus_image" "go-vod" {
  remote = "docker"
  name   = "radialapps/go-vod"
}

resource "incus_instance" "go-vod" {
    name      = "go-vod"
    image     = data.incus_image.go-vod.fingerprint
    ephemeral = false
}

results in:

│ Error: Failed to retrieve Incus ImageServer
│ 
│   with data.incus_image.go-vod,
│   on go-vod.tf line 1, in data "incus_image" "go-vod":
│    1: data "incus_image" "go-vod" {
│ 
│ Remote "docker" (oci) is not an InstanceServer

Not sure if I’ve messed up the syntax or if this doesn’t currently support oci…

jarrodu · October 31, 2024, 3:45pm

Yeah, I think it is OCI that is causing the issue. You could copy the image down then reference your local image. Then you could automate refreshing the image outside of Tofu.

At that point the data source should pick up the new fingerprint.

Pricey · October 31, 2024, 4:12pm

I’m guessing I might eventually want to make use of Incus: About Images - Auto Update …

Don’t really mind whether tofu or Incus take care of it but I suspect others have opinions.