[RFE] How to pin against a specific version of Flatcar on GCE?

[gerald-blackford]

Current situation

I have a project where we deploy VMs with flatcar-stable on a GCE environment. With the recent stable release 3602.2.0 on 5th October, I have encountered the same issue as #1203, where docker is not working due to permission issues.

I would like to roll back my version of the flatcar-stable to a fixed version instead of the current flatcar-stable HEAD. I have a Source Image that points to: projects/kinvolk-public/global/images/family/flatcar-stable. However, I am not sure how to pin against a specific version or what the image is called. I thought I could use the gcloud CLI to show the list of flatcar images, but I got a permission error.

user> gcloud compute images list --project kinvolk-public
WARNING: Some requests did not succeed.
 - Required 'compute.images.list' permission for 'projects/kinvolk-public'

Is there a way to show programmatically the list of flatcar images and versions? I may have skipped some background reading but I couldn't find an obvious solution to say, pin against 3510.2.8 instead of the HEAD. By showing the list of flatcar images and versions, I can figure out what the SourceImage argument should be to pin against a version. I'm not sure what the magical incantation should be.

Impact

Given issue #1203, I need to figure out how to pin against a specific version of flatcar that is not the latest. Fortunately, there is a workaround, which is using projects/kinvolk-public/global/images/family/flatcar-lts. This fortunately works... but it would be preferable to have control over which specific version I am using.

Ideal future situation

There is a page with clear instructions that specify how to pin against a specific version of Flatcar on GCE.

Additional information

I am relatively new to the Flatcar world, so if this goes against what is considered best practices, please let me know. It seemed intuitive to me that there is a release page, but it seems like the intent is to only select the 4 channels (stable, beta, alpha and lts) for the flatcar image, but maybe I missed something.

[jepio]

I'm really unfamiliar with GCP and we need to look into why gcloud compute images list --project=kinvolk-public doesn't work.

But the way to pin an image is to use this image specifier: projects/kinvolk-public/global/images/flatcar-stable-3510-2-8. Let me know if that works.

[gerald-blackford]

Thanks for the clarification! Is there a page that lists all the images in the kinvolk-public space that I can pin against?

[jepio]

@sayanchowdhury / @tormath1 do you know of a way for a user to enumerate versions available on a GCP image? We might need to relax permissions. And could one of you expand the GCP docs to cover image pinning?

[tormath1]

@jepio I checked, it seems that the permission is already enabled - that's why you can, for example, do the following:

gcloud compute images describe-from-family flatcar-stable --project kinvolk-public

because the compute.images.getFromFamily permission is enabled, on the side of the compute.images.list.

Reading the documentation¹, I see this big warning:

Caution: Publicly shared images do not appear in the images list for users. Users must know the image name explicitly. Users cannot rely on getting the information by making an images.list request.

I'm wondering why it works with other like debian-cloud - maybe because they are "officially" supported: https://cloud.google.com/compute/docs/images/os-details ? Which brings back to this issue: #895

Footnotes

1. https://cloud.google.com/compute/docs/images/managing-access-custom-images#share-images-publicly ↩