-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pulumi thinks it needs to replace ECS service and task definition even though no changes #23
Comments
@kennyjwilli Do you have a repro for this? I'm not seeing this. Is this a multi-machine scenario?
|
Not sure what exactly you mean by multi-machine scenario. This specific ticket is about running |
Yup! That's just what i wanted to verify for certain. I'll wait to hear back from Luke about his thoughts on how we can be resilient to this. |
@CyrusNajmabadi I guess I would love to know first whether Docker builds on different machines necessarily imply different SHA hashes? I would have assumed "no", that identical build across machines -- provided the contents are identical -- would end up with identical hashes. If that's true, it could be that in this specific case, there's some machine-specific info making its way into the container image somehow. |
IIRC the situation is thus:
|
make sure that the timestamps on the files are identical in addition to the
content, since the FS inputs into the hash.
…On Mon, Oct 15, 2018 at 12:29 PM Joe Duffy ***@***.***> wrote:
@CyrusNajmabadi <https://github.com/CyrusNajmabadi> I guess I would love
to know first whether Docker builds on different machines necessarily imply
different SHA hashes? I would have assumed "no", that identical build
across machines -- provided the contents are identical -- would end up with
identical hashes.
If that's true, it could be that in this specific case, there's some
machine-specific info making its way into the container image somehow.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AH_5wvNLorF1gTfaSvg90nK0hpkQuCmDks5ulOIdgaJpZM4W9IsB>
.
|
Why would it differ per machine? If it's a timestamp, for example, than it's actually a different image... |
I don't think we know why it differs per machine. Timestamp seems likely, but at least I have not dug in. I do think from this information we can conclude that we have to use a different mechanism to identify whether a container is unique, especially since we are not aware of any published guarantees about what this SHA is generated from. |
I'd love to see what someone thought it would be produced from before assuming we can't depend on it. |
@kennyjwilli I wasn't able to actually repro this myself. I'm wondering if this is something particular to your stack. Would it be possible for you to share the docker-file+build-folder with me (and also the code you use to create the service)? I'd like to see if it's something in particular about that docker setup. Thanks! |
@kennyjwilli Also, what version of docker are you using on these boxes? Thanks! |
I've been able to repro this, and have traced it down to a docker design decision documented here: https://github.com/moby/moby/blob/master/image/spec/v1.md Specifically, when docker produces the images for layers, they embed a "created" timestamp in the metadata for that image. When producing the final image, the informatino about this is contained in 'json' files that are then eventually tarred up. That final tar is hashed, and will then be different for every different machine you run in. I'm looking around to see if there's any way to avoid this. Some way, perhaps to force a specific date for docker to use here. Absent that, this may just be how docker works, and it may be hte case that with/without pulumi you would just be experiencing this no matter what. |
Ok. I spelunked through the docker code, and i couldn't find any way to avoid this. Furthermore, i'm virtually certain that if you were doing this manually (i.e. without pulumi), you'd be running into this. Once thing you can do to try to help avoid this is to clear your docker cache on one of your machines, then export your docker image from one and import it on hte other. You can use If you end up doing this, i believe then that you'll have the right images on both machines that docker will reuse, without it then wanting to create new images that it will embed timestamps into. |
Closing out. Note: @kennyjwilli asked if there was any way for pulumi to pull down the built images that had been published. I believe that the 'cacheFrom' property here is intended to help wiht that: https://github.com/pulumi/pulumi-cloud/blob/d8315b6ff7de0e76ad8aa7c4195335493b199988/api/service.ts#L161 However, i'm personally unfamiliar with how it works. @pgavlin (who is on vacation right now) may be able to help guide you through using this. For now, do you want to try passing along 'true' to that value to see if it helps out? |
This doesn't seem like a satisfactory outcome. I can imagine this is going to be a common issue for anybody trying to do CD of Dockerized services with Pulumi. @CyrusNajmabadi @lukehoban @hausdorff Thoughts on what we can do here? |
From our last discussion on this, the path forward on several related issues like this was to do two things:
For (2), this could be accomplished either with a dynamic provider, or via moving this whole package over to be a true Pulumi Provider written in Go. Short of doing that, we could not think of any robust way to use Relying on So we have what we think is a path to addressing this class of issues. But it will be a pretty significant overhaul of this library. And the right thing if we go this direction is probably to move to a real provider - which would be a complete re-write. |
@joeduffy This appears to be an issue for anyone doing CD of dockerized services, regardless of if they're using pulumi or not. As luke mentions, we discussed an alternative approach here. But @hausdorff was tasked with taking htat on, as he has the most context on this space, and on doing a revamp to a dynamic provider based approach. I'm going to assign this over to him, unless there's already another bug tracking this work (@hausdorff , you mentioned you were going to create one to track the results of our convo?) |
This will require a more or less complete overhaul of this library per #23 (comment) - and we haven't started work on it - so it won't get done in M21. This remains a very high priority issue that we will need to find time to prioritize. |
@lukehoban I think an interesting benefit, if possible, of using an Archive for the Docker context would be to include files that are in different directories. For my use case I have a directory called
|
@CyrusNajmabadi Maybe in buildkit the new docker image builder, they will take a PR to put in reproducible timestamps (some discussion here moby/buildkit#1058) which might be a route to tackle spurious image builds, rather than going the archive route. |
In the new implementation of the Docker Image resource in v4, a new image is not built unless the provider detects a change in the build context. See our blog post for more info: https://www.pulumi.com/blog/build-images-50x-faster-docker-v4/ |
Every time I switch computers and run
pulumi update
, Pulumi thinks it needs to replace my ECS task definition and update the service even though nothing has changed. The only thing that is different in the containerDefinition is thesha256
forIMAGE_DIGEST
in theenvironment
list.From @lukehoban on Slack:
The text was updated successfully, but these errors were encountered: