container_push: add skip_unchanged_digest attribute #1744
Conversation
sluongng
requested review from
DaveGay,
eytankidron and
smukherj1
as code owners
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sluongng The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
I did split this PR into 3 separate commits for easier review. This closes #1741 |
|
/assign @smukherj1 |
|
@alexeagle it would be nice to get this reviewed / merge 🙏 |
|
Maybe splitting the commits into separate PRs will make it easier / safer to merge? |
@pcj hey, regarding documentation improvement, do you have any recommendation? I look back at the change and see that:
Reviewing https://github.com/bazelbuild/rules_docker/search?q=push-all there is not a lot of other references that needed to be updated. 🤔 Am I missing a generated markdown somewhere? |
sluongng
force-pushed
the
sluongngoc/push-all-check-digest
branch
from
8df4a3e
to
e4b13e9
Compare
|
I just force pushed the PR to update according to feedback from Slack. Changes from last round:
The diff is now expected to be small without noise. |
sluongng
force-pushed
the
sluongngoc/push-all-check-digest
branch
from
e4b13e9
to
88901ee
Compare
|
@alexeagle ping |
sluongng
force-pushed
the
sluongngoc/push-all-check-digest
branch
from
88901ee
to
9aeae73
Compare
sluongng
force-pushed
the
sluongngoc/push-all-check-digest
branch
from
9aeae73
to
ec2b3ee
Compare
|
Rebase to origin/master + changed my email so that CLA passed |
Add feature parity with container/push rule. With such change, user can choose to push all containers in a bundle without having to care whether a container was recently rebuilt or not. The check will run against destination container registry to see whether the digest has already existed prior to pushing. If disgest already exists, image will not be pushed.
sluongng
force-pushed
the
sluongngoc/push-all-check-digest
branch
from
ec2b3ee
to
2059100
Compare
|
Switched from using |
|
I think there's still a sharp edge here - if you use stamping, then the image will be different on every build regardless of code changes. So we might want to document it a bit more - but since I just changed the stamping logic to require explicit opt-in (either via stamp = always or |
The great thing about OCI format and container registry is that even with stamping, hopefully only the final image of the layer / the json manifest file / the final image tag in the sh_binary push script is affected content wise. In such cases, one should still be comfortable pushing all with minimal storage impacts onto the container registry. Obviously keeping container images healthy by having re-useable layers will take some effort and not trivial, but it should be do-able if you set it up correctly. |
pcj
changed the title
|
Hi @sluongng, approving this. I think the |
Bring push-all on par with container_push in term of feature parity.
Generally
--skip-unchanged-digestis a very useful flag to have. One can simply setup a release pipeline upon successful CI to just dobazel run <push-all-target>to push all container images (wrapped in a container bundle) at once.By checking against upstream registry whether an existing digest already existed, we will only push images which were updated as the result of recent changes introduced to the repo.
The alternative solution is to calculate the SCM diff (git-diff) of the repo to deduce which bazel target were affected, query for container_push targets and
bazel runeach target 1-by-1, which is complicated to setup (especially when handling deleted code).This PR added the ability to verify unchanged digest to bundle push (contrib/push-all) rule for convenience.
Without this, the ability to skip unchanged digest is exclusive to container_push and one would need something like https://github.com/atlassian/bazel-tools/tree/master/multirun to achieve the equivalent.
Caveats: when push-all with a container bundle that has duplicated images and push-all is set to run in parallel, the final result might be random. Use sequential push option if you think this is an issue.
Closes #1741