Docker compose config with profiles hangs indefinitely when combining "--no-interpolate" and "--resolve-image-digests"

[b-enigma-con]

Description

Using DevOps build pipeline task "dockercompose@0", the task hangs indefinitely when resolving image digests without interpolation using profiles, and one or more of the services is being excluded by means of profiles.

microsoft/azure-pipelines-tasks#17808 (comment)

Steps To Reproduce

Add task "dockercompose@0" to a DevOps build pipeline. Because task "dockercompose@0" uses outdated "docker-compose" (instead of "docker compose"), apply the following fix (define a docker compose path):
microsoft/azure-pipelines-tasks#17808 (comment)

  # variables
  compose_profiles: dev

  - task: DockerCompose@0
    displayName: Resolve image digests without interpolation
    inputs:
      action: Run a Docker Compose command
      containerregistrytype: 'Container Registry'
      dockerComposeFile: $(dockerComposeFile)
      projectName: $(registry_namespace)
      arguments: --no-interpolate --resolve-image-digests --output docker-compose.image-digests.yml
      dockerComposeCommand: config 
      dockerComposePath: $(dockerComposePath)

Create a docker compose file with 2 services and apply profiles, such as

services:
  sqlserver:
    container_name: sqlserver
    profiles: 
        - dev
        - production
    image: mcr.microsoft.com/mssql/server
    ports:
      - 998:1433
    environment:
      ACCEPT_EULA: "Y"
      MSSQL_SA_PASSWORD: ${MSSQL_SA_PASSWORD}

  workerservice:
    container_name: workerservice
    profiles: 
        - production
    image: ${DOCKER_REGISTRY-}/workerservice

Service "workerservice" is excluded when applying profile "dev". This seems to cause the build pipeline task to hang indefinitely.

The command that is created by the task looks like:
/usr/libexec/docker/cli-plugins/docker-compose -f /[snip]/docker-compose.yml -f /[snip]/.docker-compose.1715583828579.yml -p projectname config --no-interpolate --resolve-image-digests --output docker-compose.test.yml

Compose Version

docker compose version: Docker Compose version v2.25.0
docker-compose version: Command 'docker-compose' not found

Docker Environment

Client: Docker Engine - Community
 Version:    26.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.13.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.25.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 6
  Running: 2
  Paused: 0
  Stopped: 4
 Images: 10
 Server Version: 26.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.0-106-generic
 Operating System: Ubuntu 22.04.2 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 3.754GiB
 Name: cnz-t-dock01
 ID: 51904811-1719-44bc-abc0-45db59750e10
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  192.168.14.58:5000
  127.0.0.0/8
 Live Restore Enabled: false

Anything else?

No response

[ndeloof]

Can you replicate this issue by running this same command locally?
Have you tried using latest release v2.27.0?

[b-enigma-con]

I tried several things this morning. It seems that the combination of commands is causing issues.

When using variables in the image property, such as "image: ${DOCKER_REGISTRY-}/${NAMESPACE-}/workerservice", it seems that "no interpolate" and "--resolve-image-digests" clash when using profiles somehow.

It seems that the variables in the image property are properly interpolated according to the profile. Services that are excluded by the profile won't get a correctly interpolated image property. The resolving of the image digests will try to resolve all images of all services. If one image property still contains variables and not a correct URL, the command hangs indefinitely.

So it seems that in this command chain, profiles are interpreted different, leading to some image properties being interpolated, some don't. If one image property is not interpolated, the problem arises.

[ndeloof]

I didn't read carefully and didn't noticed you are using both variables in image tags and ask for digests to be resolved.
What are you trying to achieve? Without interpolation image tags is invalid and obviously command can't succeed. I would expect command to fail and not hang, which is a bug then, still I'd like to better understand your usage

[b-enigma-con]

What I'm trying to achieve is:

A DevOps build pipeline which builds all services in a docker-compose file and pushes them to a registry. I then want someone to be able to do a release using a release pipeline, thereby using the artifact of the build pipeline (which is a docker-compose file containing a reference to the built images). During release, I have different variables depending on the specific environment it is released to.

So I have a build pipeline now, which builds and pushes all images. The image digests are then retrieved and put in the service image properties of the docker-compose file (using devops task "dockercompose@0"). By default, all variables in the docker compose file are interpolated by this task, and if a variable value is not defined, it is substituted by an empty string. By default, at the end of a build, all my variable tokens are substituted by empty strings, so I can't use the variables anymore in a release pipeline.

1. Have a docker-compose file containing several variables.
2. Build services
3. Push services
4. Action "Write service image digests" of task "dockercompose@0", which creates a separate docker-compose file containing only the image references using the digests.
5. I then combine the original docker-compose file with the newly generated docker-compose file without interpolation. The result is a docker-compose file with concrete references to the images (digests), but still all variable tokens present.
6. Push the resulting file as a build artifact.

I now can use variables in my release pipelines depending on the stage/environment, but I'm also sure that I'm using the correct images.

[ndeloof]

Ok. It seems what you would like is some docker compose config --resolve-image-digests --images command (not yet implemented) to list images with digest, you could format into some compose-with-digests override file