ci: Prune only docker images built for current build

[nebril]

This PR should fix GKE builds failures happening on docker build stage (we are concurrently building and image and pruning images aggresively, this change makes the build clean up after itself).

[maintainer-s-little-helper]

Please set the appropriate release note label.

[nebril]

test-me-please

[coveralls]

Coverage decreased (-0.001%) to 44.601% when pulling 580c030 on pr/fix-docker-prune into 4e17dfe on master.

[errordeveloper]

Could this be set with docker build --label in stead?

[errordeveloper]

I think you what you are looking for is $(GIT_VERSION), it should be set already. And let's not invent a new name, just call it git_version or cilium_git_version.
I'd just use the whole string, i.e. --label "cilium_git_version=$(GIT_VERSION)", or otherwise --label "cilium_git_version=$(firstword $(GIT_VERSION))" if you prefer to use just the short commit hash.

[nebril]

We cannot use --label here, because it only labels the final image. We want to label intermediate images too so we know which ones to prune.

Good catch with firstword usage, I didn't know I can use it like that, will change.

[errordeveloper]

I see, seems suboptimal but acceptable :)

[errordeveloper]

cilium_git_version="$(cat GIT_VERSION)"
docker image prune -f --all --filter "label=cilium_git_version=${cilium_git_version%% *}"`

[nebril]

I couldn't get this to work locally in zsh and bash :/ , it seems like a magic bash variable expansion, but I am not sure how this works.

[errordeveloper]

Apologies for the typo, I fixed it now for the record, and thanks for accepting this suggestions :)

[errordeveloper]

Few nits that would make it simpler :)

[errordeveloper]

Why not change it to docker image prune --force --filter "until=-6h" , so we keep cleaning the dangling images (surely there will be some of those).

[nebril]

because this deletes intermediate docker images while other build is running and causes docker build to fail.

[errordeveloper]

Well, I was thinking that the 6h window should actually prevent that, or does it not work as intended? Maybe we could extend the window?

[nebril]

So my theory on what is happening here is that

• a build (A) downloads base images for intermediate images and carries on with the build
• 6 hours pass, other build (B) starts
• intermediate images are based on existing over 6h old images
• other build (C) runs "docker image prune" and deletes the base image causing build B to fail

docker apparently doesn't protect images used in multi-stage builds, so we need to work around that.

[errordeveloper]

Hm... but that's based on having ran this script --all, so it was actually deleting every single image that wasn't used by a container. I think if we remove --all, we would make different observations, however some of what you said would stand anyway.
Anyway, let's just go ahead with your change, and I'd rather spend time discussing how we can evolve some of this.

[aanm]

Nothing else from my side besides what Ilya point it out.

[nebril]

@errordeveloper please re-review

[nebril]

test-me-please

[qmonnet]

Ginkgo hit #11213

test-focus K8sFQDNTest Restart Cilium validate that FQDN is still working

[qmonnet]

Conflict in Makefile on $(CONTAINER_ENGINE_FULL) which has been replaced, can you please rebase?

[errordeveloper]

This looks like it will fix the underlying problem we are having at the moment, so LGMT =)

[nebril]

test-me-please

[nebril]

restart-ginkgo

[nebril]

test-with-kernel

[nebril]

This change only fixes things if other PRs rebase on top of it, so I am going to merge it with GKE build failing