Thank you very much for your help.
Thinking a bit more about it I have managed to have a working (albeit hacky) solution. I post it here in case it is useful for other people:
Context: we create our images with packer. Packer is driven by some automatic job that get’s triggered everytime there is a change in the image creation scripts. When a new image is created the old image is “overwritten”. The key here is that the old image loses the alias, which is now assigned to a the image. In other words: The first time we have image with fingerprint abababab and alias my_image, and when there is an update of the image we have images abababa without alias and new image bcbcbcbc with my_image alias.
The way to check whether the container runs an outdated image is to check the fingerprint in image volatile.base_image. Then we check whether the image with that fingerprint has an alias or not. If it doesn’t have an alias is because a new image has replaced it and hence the container runs an outdated image.
In a few lines of quick shell script:
image_fingerprint=`lxc config get $cont_name volatile.base_image`
image_alias=`lxc image info pps_lxd_images:$image_fingerprint | grep -A 1 Aliases: | grep -v ":"`
if [ -z "$image_alias" ]; then
echo " Container $cont_name runs outdated image $image_fingerprint"
echo "Container runs the last image version"
A small improvement could be to have the image info in JSON so that is machine readable.