Add --pull option to build command

[sondavidb]

Fixes #3073

docker build initially had a --pull command that forced remote image lookup when building an image. This has been changed when docker switched to buildkit to be default behavior, with an option to not check for updates if the image is already cached.

Forcing nerdctl build to use local images may be desirable for a few edge cases, so I've implemented a solution via a --pull flag in nerdctl build that can be set to false to enable this behavior, and true to always pull from remote. Without it, it will use the buildkit default.

There's a caveat here, which is that buildkit must be set up to use the same namespace as the locally cached image, which the user must set up in their buildkit config file.

Tested in a similar workflow as the integration test:

1. Have a Dockerfile with just FROM ubuntu:latest
2. Pull an older image tag (for me, I chose ubuntu:18.04) into your buildkit namespace (default should be buildkit)
3. Tag it to latest version
4. nerdctl build --pull false .
5. Check image sha in output, it should be the same as the one locally cached
6. nerdctl build --pull true .
7. Check image sha in output, it should be a different one and should match the same as latest tag.

[sondavidb]

Does buildkit output to stderr? Integration tests were failing with AssertOutContains and passed with AssertErrContains, but it seems strange that buildkit is outputting to stdout instead of stderr. Makes me worried that I did something wrong.

[Zheaoli]

FYI docker/buildx#802

[AkihiroSuda]

Any reason to use this very old version of Ubuntu?

[sondavidb]

Just for testing purposes. The idea is to pull an old version of ubuntu, tag it as latest, and see if --pull=false uses local image while --pull=true uses the remote image (latest vesion).

As we aren't actually running this built image, this doesn't pose any security risk should any vulnerabilities be found.

[ktock]

Can we just use the mirror registry, with updating the tag with another image before checking --pull behaviror?

[sondavidb]

Makes sense, I switched to using much slimmer images as well so this test will now run a little bit faster

[sondavidb]

Last force-push revamped the integration test, so it should work properly. IMO it's a little bit ugly, since we're using os.Exec() to write directly to the config, but it's the only way I could think of approaching this, as buildctl doesn't support anything similar to a --config or a way to force the containerd worker instead of the OCI worker.

[ktock]

See comments

[ktock]

Can we make it a bool flag and just check if it's set when parsing?

[sondavidb]

Is this possible? From my understanding, the bool flag can only be true or false, and if none are provided then it will just set a default value.

Once parsed from a string, though, I can store it into a *bool instead of a string.

[ktock]

Have you tried Changed? https://pkg.go.dev/github.com/spf13/pflag#FlagSet.Changed

[sondavidb]

This is perfect, thanks. Just pushed a new set of changes.

[ktock]

Can we just use the mirror registry, with updating the tag with another image before checking --pull behaviror?

[ktock]

Can we just make it *bool if we only take true/false/default ?

[sondavidb]

Had to move the test to builder_linux_test.go to make use of testutil. It probably makes more logical sense there, anyway, since the directory modified with the test is linux-specific.

[ktock]

Default value should be false.

[ktock]

Can you add a test case for the default behaviour? (i.e. not specifying --pull)

[sondavidb]

Done

[ktock]

Thanks