-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image in SpinApp CR is being incorrectly cached #40
Comments
Ran into this today in testing again. This should probably be high in priority, though signs currently point to upstream culprit(s) (eg runwasi). Some potential leads/related issues (mentioning because the app pod being stuck in 'Terminating' is reliably seen when encountering caching behavior): |
Put it as a must have in the Initial Release project. CC @macolso |
Filled spinkube/containerd-shim-spin#22 because this is a shim issue rather than an operator one. |
same here, building with
deploying with new image tag, checking
shows that latest / desired image is referenced; but logging indicates that changes are not active |
I was also able to reproduce this behavior using latest bits. IMO the key to reproduce the issue is the following
New instances spawned will response with whatever defined in |
my 2 cents here: There may be two different issues in the play here:
@endocrimes, what do you think about the second point above? thanks |
|
I was looking more into caching issue, and it seems like it is not due to What I did noticed is that, the image in DeploymentSpec and PodSpec is referring to the new image, but in the I verified it was a new pod. e.g. I am still trying to understand why that might be happening. |
This commit ensures that applications pushed to OCI have unique image config fields for unique Spin application content and metadata by adding a label in the OCI image config to the content digest (SHA256) of the Spin locked application file. This is to address the issue of the Containerd Spin shim serving outdated content, because all images of Spin apps on a node would have the same image ID (the content digest of the OCI config object, which was identical for all Spin apps). ref spinkube/spin-operator#40 Signed-off-by: Radu Matei <radu@fermyon.com> Co-authored-by: Rajat Jindal <rajatjindal83@gmail.com> Co-authored-by: Danielle Lancashire <dani@builds.terrible.systems> Co-authored-by: Michelle Dhanani <michelle@fermyon.com>
We have managed to reproduce this setup consistently — once fetched by containerd, all Spin applications would have the same image ID, even if the SHA256 of the image was different (and the applications had different content):
@rajatjindal tracked down this behavior in containerd, specifically where containerd resolves the local image based on the image ID — https://github.com/containerd/containerd/blob/7c3aca7a610df76212171d200ca3811ff6096eb8/pkg/cri/server/helpers.go#L163-L191, which would always return all Spin applications present on the node (since they all had the same image ID) — and the first of those would get picked up (https://github.com/containerd/containerd/blob/7c3aca7a610df76212171d200ca3811ff6096eb8/pkg/cri/server/helpers.go#L199), which resulted in the behavior we are seeing here — with pods with a mismatch between the container pod spec and the actual image reported in the status field (and run by containerd). The issue boils down to how Every Spin application ever pushed would generate the same OCI image config, because Spin would only set the OS and architecture — which resulted in all Spin applications having the same image ID reported by containerd — This was never an issue when running The fix requires us to ensure the uniqueness of the OCI image config object for unique content, by adding a reference to the digest of the locked application file in the OCI config object — fermyon/spin#2322. With this fix in place, new Spin applications have different image IDs reported by containerd:
The full fix requires a patch release of Spin (based on the Spin PR linked above), and no changes in the operator or the shim. Huge thanks to @rajatjindal, @michelleN, @endocrimes, and @jpflueger for helping track this down. |
Closing this because it's fixed in fermyon/spin#2322 and has landed on Spin main. |
This commit ensures that applications pushed to OCI have unique image config fields for unique Spin application content and metadata by adding a label in the OCI image config to the content digest (SHA256) of the Spin locked application file. This is to address the issue of the Containerd Spin shim serving outdated content, because all images of Spin apps on a node would have the same image ID (the content digest of the OCI config object, which was identical for all Spin apps). ref spinkube/spin-operator#40 Signed-off-by: Radu Matei <radu@fermyon.com> Co-authored-by: Rajat Jindal <rajatjindal83@gmail.com> Co-authored-by: Danielle Lancashire <dani@builds.terrible.systems> Co-authored-by: Michelle Dhanani <michelle@fermyon.com> (cherry picked from commit 14cdc42)
Changing the image of a SpinApp CR is not always working. For an unknown reason sometimes when you change the image it does not update. Even if you delete and re-apply the SpinApp it still does not use the new image.
@vdice and @ThorstenHans have observed this issue. I'll leave it to them to share more details in a comment below. My understanding is that @ThorstenHans has a reproduction of this issue. Also please feel free to edit this issue to be more accurate.
The text was updated successfully, but these errors were encountered: