Remove image via storage if a buildah container is associated

[TomSweeneyRedHat]

Signed-off-by: TomSweeneyRedHat tsweeney@redhat.com

When a removal of an image returns ErrImageUsedByContainer, rather than raising an error immediately we get the image from the containers/storage and see if we can remove containers from there for that image (generally those containers are put into play by Buildah) and then try again to remove the image from Podman.

[mheon]

We already have a storage.Store in libpod, don't need this

[mheon]

We have the image already, can't we pass this in?

[mheon]

We don't need this logic, the standard logic in our image library for removing images should work fine

[mheon]

I think we really just need RunningContainers and RemoveContainers here. We can run RunningContainers unconditionally before we try and remove the image but after we remove Podman containers. If it returns that containers are present and --force is present, we use the RemoveContainers code to remove all non-Podman containers associated with the image. If it returns that containers are present and force is not set, we warn that non-Podman containers are using the image, and you should use --force if you want it gone. Then we continue with our removal logic. How does this sound?

[baude]

I agree with the proposed approach though part of me would prefer it be an import of buildah code ... nevertheless, I think that approach is spot on.

[TomSweeneyRedHat]

@baude @mheon thanks for the looksee and suggestions. I'll fine tune.

[TomSweeneyRedHat]

I was waffling about keeping these following three functions in here or moving them into libpod/runtime_img.go

[mheon]

I'd go ahead and move them. I am trying to keep the store entirely inside libpod, so directly opening a store and deleting outside of libpod is really undesirable. If we can make these part of runtime.RemoveImage, instead of the code here calling it, I think that'd be fine, and we wouldn't have to leak the store outside of libpod.

[mheon]

I don't think we need this. We can just get storageContainers for the image and return an error if containers exist or remove them if --force is set. We don't need to do it in an error handling block, that makes things a lot harder to follow.

[TomSweeneyRedHat]

I'm not sure exactly what you're suggesting here. After line 129 are you saying I should just try getting the storage containers and then error if the image has containers and no force, other wise remove? When we get to this point we've already tried removing the image and that failed due to it being a storage image and a container was associated. I might be able to move the storage image handling that I've below into image.Remove() if that would be preferable. I'll play with that and hit me up on IRC in the morn if I'm off base.

[mheon]

Sorry, should have been more clear - I mean before 129, we can do the check if the container is mounted before the actual remove happens, thus removing the need to check errors.Cause() and perform complicated handling. This might make our fastpath a bit slower (we do a check unconditionally instead of conditionally), but will improve code flow and readability. We can always go back and make things faster later if need be.

[TomSweeneyRedHat]

This chunk has been reworked and greatly reduced. I still have the error check, but I think it makes more sense now. Cand/will adjust after the next review if you think appropriate.

[mheon]

We should not need this. I really do not want to return a Store anywhere the user can get one.

[TomSweeneyRedHat]

If you or @baude have a suggestion around it, I'm happy to do it. I tried using image.imageruntime.store in the call in runtime_img.go below but got:

 github.com/projectatomic/libpod/libpod
_output/src/github.com/projectatomic/libpod/libpod/runtime_img.go:135:65: image.imageruntime undefined (cannot refer to unexported field or method imageruntime)

Thought exposing the function would be better. However if I move that code to handle the storage containers into image.go as talked about below, that might solve that problem.

[mheon]

The image runtime's store is guaranteed to be the same as the normal runtime's store - you should just be able to runtime.store instead

[baude]

Agreed, i went to great pains to avoid this.

[TomSweeneyRedHat]

ack, I was over complicating it, I can just do r.store in runtime_img.go and it gets me what I need. Thought I'd to pull it from each image and that wasn't resolving.

[mheon]

No printing in libpod - return this as an error

[TomSweeneyRedHat]

will do....

[mheon]

Why is this necessary? Can we not find the image by its ID?

[TomSweeneyRedHat]

I did this for the case when a image was tagged. If I do:

podman pull alpine
podman tag alpine tg
podman images
REPOSITORY                 TAG      IMAGE ID       CREATED        SIZE
tg                         latest   3fd9065eaf02   2 months ago   4.41MB
docker.io/library/alpine   latest   3fd9065eaf02   2 months ago   4.41MB

Both "images" had the same ID, the only way I could differentiate them was to go by their repo.

[baude]

@TomSweeneyRedHat im confused by this. I'll catch you on IRC for follow-up

[TomSweeneyRedHat]

@baude and I worked through this before scrum. The issue I was running into was deleting container from an image created by Buildah when the image had a tag added to it. The code as I had it here worked around that, however @baude pointed to a tweak of a if statement down lower that let me remove this code and still get the containers removed. This has all been removed.

[baude]

I would prefer to see this and subsequent functions take a *image.Image ... then you have the store and storage.Image already. I say that assuming you at one point already had an *image.Image

[TomSweeneyRedHat]

reworking. I've passed image.Image to the rmStorageContainers and just the id to one other function rather than the whole image.

[baude]

Ill hit you up on irc for clarification on this func as well.

[TomSweeneyRedHat]

We only talked briefly about this, but I've removed this as you indicated elsewhere I can get the info here from the runtime (r).

[TomSweeneyRedHat]

New Patch up. I want to test a bit more and just spotted a couple added blank lines. Will test and clean. If you want to review now, great, if not I'll be getting another patch up later today or tomorrow morn.

[mheon]

Shouldn't just call out buildah here - could also be CRI-O.

[mheon]

Ideally, should mention containers/storage specifically, could be a program using c/storage we didn't write

[baude]

Couple of things here. First, if the err is no ErrImageUserByContainer, isn't the error lost? And second, should your error message also contain the contents of err?

[TomSweeneyRedHat]

I've changed the error message, bumped it a bit from what @mheon suggested. I don't think the error is lost here, we save it as we do currently in lastError. This only prints out extra verbiage when we have a container tied to the image. The error that prints I didn't think added a lot here, and the error message is currently pretty long so I didn't include it. If you've a strong opinion on adding it I can.

[mheon]

Are we retrying on the assumption that the containers using the image were removed? If so, can we get a comment to that effect?

[mheon]

Also, instead of setting error, it's probably better to just return here and below in the else

[baude]

is there any chance that err might not be ErrImageUsedByContainer ?

[TomSweeneyRedHat]

I've added a comment.

I think we want to capture the err from this second remove and return it if there's an error. But if you really think it's better, I can just let the original err be returned. As far as returning the errStorage error I was on the fence about returning that or not, but thought it would give a better clue if there was an error. I'll keep them both for now, holler in he morn if you'd like me to remove them.

I think there's a very small chance that the err would be something other then ErrImageUsedByContainer. But if it is, we'll just get the same error from the second image remove and will continue on down the error path. But for the vast majority, it should be the image in use error.

[baude]

&& force?

[TomSweeneyRedHat]

good call, done.

[baude]

if err := remove.... ; err != nil

[TomSweeneyRedHat]

yep, found a second one too, thx.

[mheon]

@TomSweeneyRedHat can you rebase on latest master? The test failures should be fixed

[TomSweeneyRedHat]

#564 should hopefully fix up the test errors here.

[rhatdan]

@TomSweeneyRedHat Rebase and try.

[rhatdan]

nit: Not crazy about mentioning other tools here since we would love to see other tools start using containers/storage and then this message can become dated.

[TomSweeneyRedHat]

I hear you, but my main concern that if a customer got an error that there's a "container associated with containers/storage" would they know enough to check Buildah/CRI-O? I've tried to open it up a bit by adding etc.

[rhatdan]

Remove random whitespace

[TomSweeneyRedHat]

Done, don't know how I managed that one.

[rhatdan]

A couple of nits, but LGTM

[TomSweeneyRedHat]

New patch pushed.

[TomSweeneyRedHat]

I hear you, but my main concern that if a customer got an error that there's a "container associated with containers/storage" would they know enough to check Buildah/CRI-O? I've tried to open it up a bit by adding etc.

[TomSweeneyRedHat]

Done, don't know how I managed that one.

[rhatdan]

@mheon @baude @umohnani8 PTAL
LGTM

[mheon]

Shouldn't we throw ErrImageUsedByContainer here if len(ctrIDs) > 0 && !force?

[TomSweeneyRedHat]

I was relying on the second image.Remove(force) to provide that error at line 132. However it probably does make more sense to throw the error here and not invoke that image.Remove() again as we know it will fail in this instance. Good thought.

[mheon]

Extra whitespace

[TomSweeneyRedHat]

Fixed, found another rogue one and zapped that too.

[umohnani8]

LGTM

[mheon]

Changes LGTM
@rh-atomic-bot r+

[rh-atomic-bot]

📌 Commit 21b7c40 has been approved by mheon

[rh-atomic-bot]

⌛ Testing commit 21b7c40 with merge 54bd0ae...

[TomSweeneyRedHat]

@baude @rhatdan @mheon I've just posted a new patch. I fixed up @mheon's comments and while testing noted an error message in rmi.go that would be better served with the image.ID() being printed.

[TomSweeneyRedHat]

Quick test output:

# buildah from alpine
Getting image source signatures
Copying blob sha256:ff3a5c916c92643ff77519ffa742d3ec61b7f591b6b7504599d95a4a41134e28
 1.97 MiB / 1.97 MiB [=====================================================] 21s
Copying config sha256:3fd9065eaf02feaf94d68376da52541925650b81698c53c6824d92ff63f98353
 1.48 KiB / 1.48 KiB [======================================================] 0s
Writing manifest to image destination
Storing signatures
alpine-working-container

# podman pull busybox
Trying to pull docker.io/busybox:latest...Getting image source signatures
Copying blob sha256:f70adabe43c0cccffbae8785406d490e26855b8748fc982d14bc2b20c778b929
 706.22 KB / 706.22 KB [====================================================] 0s
Copying config sha256:8ac48589692a53a9b8c2d1ceaa6b402665aa7fe667ba51ccc03002300856d8c7
 1.46 KB / 1.46 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
8ac48589692a53a9b8c2d1ceaa6b402665aa7fe667ba51ccc03002300856d8c7

# podman tag alpine tg

# podman ps -a

# podman images
REPOSITORY                  TAG      IMAGE ID       CREATED        SIZE
tg                          latest   3fd9065eaf02   2 months ago   4.41MB
docker.io/library/alpine    latest   3fd9065eaf02   2 months ago   4.41MB
docker.io/library/busybox   latest   8ac48589692a   5 hours ago    1.36MB

# podman rmi -a
8ac48589692a53a9b8c2d1ceaa6b402665aa7fe667ba51ccc03002300856d8c7
unable to delete 3fd9065eaf02feaf94d68376da52541925650b81698c53c6824d92ff63f98353 (must force) - image is referred to in multiple tags

# podman images
REPOSITORY                 TAG      IMAGE ID       CREATED        SIZE
docker.io/library/alpine   latest   3fd9065eaf02   2 months ago   4.41MB
tg                         latest   3fd9065eaf02   2 months ago   4.41MB

# podman rmi tg
Untagged: tg:latest

# podman rmi -a
A container associated with containers/storage, i.e. via Buildah, CRI-O, etc., may be associated with this image: 3fd9065eaf02
image is in use by a container

# podman rmi -a -f
3fd9065eaf02feaf94d68376da52541925650b81698c53c6824d92ff63f98353

[rh-atomic-bot]

☀️ Test successful - status-papr
Approved by: mheon
Pushing 54bd0ae to master...

[TomSweeneyRedHat]

Addresses #174