Is running a container an outdated image?

cquike · January 27, 2022, 5:15pm

I would like to know if there is a way, on a programatic way, to know if a container is running an outdated image.
For instance:

$ lxc init my_remote:my_image my_container
$ lxc start my_container
$ lxc image show my_image | grep auto_update
auto_update: true

If later on my_image is automatically updated, is there any way, by querying some properties of the running my_container to know that the image it was created from is now outdated?

Related to that, I don’ even know how to retrieve the image from the containers, i.e., I couldn’t see any property in my_container that relates to my_image (or it’s fingerprint).

I am using lxc 3.0.3.

Thanks!

turtle0x1 · January 27, 2022, 5:35pm

I dont know anyway of the top of my head, you probably need code that does;

instance_fingerprint = # go get volatile.base_image
instance_os = #go get image.os
instance_release = # go get image.release 

latestImageFingerprint = lookupImageCurrentFingerprint(instance_os, instance_release)

if(latestImageFingerprint != instance_fingerprint) {
   # Recreate container with latest image
}

But it would be error prone as I think image.os and image.release are optional properties on an instance

cquike · January 27, 2022, 6:52pm

Indeed, unfortunately that doesn’t work since for my custom images I don’t have the image.os or image.release properties. Moreover, I don’t know how that could uniquely identify an image, since several of my images share the same underlying OS.

turtle0x1 · January 28, 2022, 1:42am

Then you are pretty screwed, its requires effort on your part for this to work as expected.

As you’ve indicated fingerprints aren’t enough (Ive thought about this plenty for LXDMosaic)

turtle0x1 · January 28, 2022, 1:44am

You know you can set these right? Its not “game over” if your prepared for some “admin overhead”.

cquike · January 28, 2022, 12:03pm

Thank you very much for your help.
Thinking a bit more about it I have managed to have a working (albeit hacky) solution. I post it here in case it is useful for other people:

Context: we create our images with packer. Packer is driven by some automatic job that get’s triggered everytime there is a change in the image creation scripts. When a new image is created the old image is “overwritten”. The key here is that the old image loses the alias, which is now assigned to a the image. In other words: The first time we have image with fingerprint abababab and alias my_image, and when there is an update of the image we have images abababa without alias and new image bcbcbcbc with my_image alias.

The way to check whether the container runs an outdated image is to check the fingerprint in image volatile.base_image. Then we check whether the image with that fingerprint has an alias or not. If it doesn’t have an alias is because a new image has replaced it and hence the container runs an outdated image.

In a few lines of quick shell script:

  cont_name=my_container 
  image_fingerprint=`lxc config get $cont_name volatile.base_image`
  image_alias=`lxc image info pps_lxd_images:$image_fingerprint | grep -A 1 Aliases: | grep -v ":"`
  if [ -z "$image_alias" ]; then
     echo "  Container $cont_name runs outdated image $image_fingerprint"
  else
     echo "Container runs the last image version"
  fi

A small improvement could be to have the image info in JSON so that is machine readable.