This came up in a chat.
We use the OCI annotation keys org.opencontainers.image.created and org.opencontainers.image.version, however at a glance it looks like we're inconsistent on whether we use those keys when looking at actual annotations, or rather looking at the labels on the container. Those are not the same thing. Quick AI-assisted dump of some places this comes up:
Instances of annotation constants used to query labels
| File |
Line |
Constant |
Queried from |
crates/lib/src/status.rs |
205 |
ANNOTATION_CREATED |
config labels |
crates/lib/src/install/aleph.rs |
55 |
ANNOTATION_CREATED |
config labels |
crates/ostree-ext/src/container/mod.rs |
490 |
ANNOTATION_VERSION |
config labels |
Correct usages (for comparison)
| File |
Line |
Constant |
Queried from |
crates/ostree-ext/src/container/store.rs |
597 |
ANNOTATION_CREATED |
manifest annotations |
crates/lib/src/bootc_composefs/status.rs |
514 |
ANNOTATION_VERSION |
manifest annotations |
Additional observations
-
ANNOTATION_VERSION is less problematic in practice because the write-side in crates/ostree-ext/src/container/encapsulate.rs:265-318 intentionally writes the version to both config labels and manifest annotations. And for non-ostree-ext-built images, Dockerfiles typically use LABEL org.opencontainers.image.version=..., so it ends up in labels anyway.
-
ANNOTATION_CREATED is the more problematic one. The encapsulate code does not write it into labels — it only sets config.set_created(). So the label lookup at status.rs:205 and aleph.rs:55 will almost never match; they're saved by the fallback to config.created().
-
There's an inconsistency between the ostree and composefs code paths. The composefs status code (bootc_composefs/status.rs:514) correctly reads ANNOTATION_VERSION from manifest annotations, while the ostree status code (status.rs:211 via version_for_config) reads it from config labels. These could diverge for images where the value is only in one location.
This came up in a chat.
We use the OCI annotation keys
org.opencontainers.image.createdandorg.opencontainers.image.version, however at a glance it looks like we're inconsistent on whether we use those keys when looking at actual annotations, or rather looking at the labels on the container. Those are not the same thing. Quick AI-assisted dump of some places this comes up:Instances of annotation constants used to query labels
crates/lib/src/status.rsANNOTATION_CREATEDcrates/lib/src/install/aleph.rsANNOTATION_CREATEDcrates/ostree-ext/src/container/mod.rsANNOTATION_VERSIONCorrect usages (for comparison)
crates/ostree-ext/src/container/store.rsANNOTATION_CREATEDcrates/lib/src/bootc_composefs/status.rsANNOTATION_VERSIONAdditional observations
ANNOTATION_VERSIONis less problematic in practice because the write-side incrates/ostree-ext/src/container/encapsulate.rs:265-318intentionally writes the version to both config labels and manifest annotations. And for non-ostree-ext-built images, Dockerfiles typically useLABEL org.opencontainers.image.version=..., so it ends up in labels anyway.ANNOTATION_CREATEDis the more problematic one. The encapsulate code does not write it into labels — it only setsconfig.set_created(). So the label lookup atstatus.rs:205andaleph.rs:55will almost never match; they're saved by the fallback toconfig.created().There's an inconsistency between the ostree and composefs code paths. The composefs status code (
bootc_composefs/status.rs:514) correctly readsANNOTATION_VERSIONfrom manifest annotations, while the ostree status code (status.rs:211viaversion_for_config) reads it from config labels. These could diverge for images where the value is only in one location.