BZ 1446644 Adding more detail on image streams

[mburke5678]

https://bugzilla.redhat.com/show_bug.cgi?id=1446644

[mburke5678]

@sferich888
I have worked in some of the information in the FAQ and pulled the latest admonition from the K base article.
What other sources can you suggest?
I can't find anything on "strict" and "loose" dependency management styles; not sure what to look for.
Any advice would be appreciated.

[bparees]

@bmcelvee this looks similar to the item i suggested to you.

[bparees]

I think we should start this with a glossary of terms that explains:

• docker repository (docker.io/openshift/jenkins-2-centos7)

• docker repository tag (docker.io/openshift/jenkins-2-centos7:latest)

• docker image sha (docker.io/openshift/jenkins-2-centos7@sha256:ab312bda324)

• imagestream

• imagestream tag

• imagestream image

[bparees]

this sentence seems redundant, all it says is "an imagestream contains the information that is specified in the imagestream"

I think it would be more useful to combine this w/ the next sentence and say "An imagestream does not contain actual image data, it is simply a mapping between tags and the actual images. It can contain additional metadata that describes the tags provided by the imagestream."

[bparees]

that field can only take on a repository value, it can't be an imagestream. i'm not really sure what purpose status.dockerImageRepository even serves, since each status.tag indicates where the tag comes from. @soltysh ?

[soltysh]

It's again connected with already depreacated .spec.dockerImageRepository, but you're right this is just repo, you can pull image from. Usually cluster internal link, but recently with addition of public pull spec (openshift/origin#15853) this can give you pullable docker image (from outside the cluster)

[bparees]

"the sha identifier that this imagestream tag currently references and which will be used by resources that reference this imagestream tag"

[bparees]

the imagestream tag.

[bparees]

this needs to elaborate on what it means to "push an image without properly tagging it" (and how/why that is problem since just above we claimed the imagestream insulates you from this)

[bparees]

this a convention. our "latest" imagestreamtags specifically, are reference tags which follow another imagestreamtag and could be updated in the future to change what they follow (much like a symlink. our latest tag is a symlink to v2.4, in the future we might change it to be a symlink to v2.5).

However users can create their own imagestreamtags named anything they want. And those imagestreamtags might or might not be reference-style tags.

In short, we need a deep discussion of reference-style tags, and this isn't the place to talk about the behavior of our specific imagestreams that happen to define latest in this way.

[bparees]

Also in general throughout this document it's critical to be extremely clear as to whether you are talking about a "docker image tag" or a "imagestream tag" because they are two different things with different implications.

[bparees]

s/this//

[bparees]

"monitoring that particular Image Stream Tag"

[bparees]

Image Stream Tag

[soltysh]

Unless you, either:

1. have scheduled import set
2. manually re-import the image.

I think it's worth mentioning that.

[soltysh]

Image Stream

[soltysh]

Image Stream Tag

[soltysh]

Image Stream Image

[soltysh]

An object that allows you to retrieve a particular docker image from a particular image stream.

[soltysh]

An object that comprises any number of Image Stream Tags. IS per se does not have any docker images, only pointers to them.

[soltysh]

It's again connected with already depreacated .spec.dockerImageRepository, but you're right this is just repo, you can pull image from. Usually cluster internal link, but recently with addition of public pull spec (openshift/origin#15853) this can give you pullable docker image (from outside the cluster)

[soltysh]

image stream - two words.

[soltysh]

mapping between tags and actual images

[soltysh]

image stream

[soltysh]

Like I've mentioned elsewhere, we deprecated .spec.dockerImageRepository, @bparees did you deprecate the .status.dockerImageRepository along with the other?
Currently it should provide with a pull spec, usually cluster internal, unless there's a public url for the registry configured.

[bparees]

no, I didn't deprecate .status.dockerImageRepository but i'm glad you suggested it too because i proposed it to @smarterclayton and he explained to me all the reasons we can never do that (that it presents the target for pushes to the imagestream, ie the internal registry service ip)

[mburke5678]

@bparees @soltysh What does the user set for .status.dockerImageRepository?

[bparees]

the user doesn't set it, it gets set by the system. it will point to the internal registry service ip.

[soltysh]

@bparees hmmm... I'm not sure if that is still true with our current abilities where each tag can point to a totally different backing repo. In which case we still should read that information per tag, imho. It's worth a second thought, I guess.

[bparees]

@soltysh yes I raised similar questions to @smarterclayton but the answer I got is that status.DockerImageRepository is the location where users can push to in the internal registry. I guess they already know where to push to if they want to update the external image (on dockerhub for example) but if they want to push to the imagestream directly to create new tags, status.DockerImageRepository is the registry host they'd push to to accomplish that.

I'm glad I'm not the only one confused by this, though :)

[soltysh]

Triggering and scheduling should not be mixed in this way. The above sentence suggests you can specify a point in time when an image will be re-imported, but that's not true. Scheduled import is about having the image stream tag checked every X minutes (configured by cluster admin) and if the source image has changed that change will be picked up and reflected in image stream. That in turn can trigger Build and/or Deployment flow.

[bparees]

+1

import - refresh what this imagestreamtag points to
trigger - do something when an imagestreamtag changes

import can lead to a trigger, but so can other things. and import might not cause a trigger if nothing cares about that particular imagestreamtag.

[soltysh]

fine-grained access control

[soltysh]

<image stream name>@<image name> - maybe write image name/id. Although we use the name for the image object, it's actually docker image id, and people might get confused seeing name here, and seeing something like sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d

[soltysh]

your build or deployment (via replication controller)

That RC is not important in this context.

[soltysh]

Another round of comments.

[soltysh]

--scheduled flag on a tag.

[soltysh]

or you can manually re-import an image

It has nothing to do with builds, here.

[soltysh]

image stream <- two words

[soltysh]

It's not a caveat of using image streams, but docker images in general. IS are only affected with this rule the same way everything else using latest tag.

[soltysh]

Acutally, IS bypass the problem of using latest by providing you a stable pointer, until the next import.

[bparees]

Yeah, this is another place where we really need a glossary to setup the concept of docker tags vs imagestream tags, because they have different characteristics that need to be understood.

(and imagestreamtags that "reference" another imagestreamtag are yet another level of complexity that needs to be explained, and that's where you get into the whole issue of "not using latest because latest could suddenly point to something new" (where it may or may not actually be called latest))

[mburke5678]

@soltysh FYI. The wording "caveat" came from here, which was added as an External Tracker in the original BZ:
https://access.redhat.com/solutions/3016781

[soltysh]

You can mark a tag for a periodical re-import (link to https://docs.openshift.org/latest/dev_guide/managing_images.html#importing-tag-and-image-metadata)

[soltysh]

and can trigger a Build and/or Deployment

[soltysh]

If it triggers is dependent on Build/Deployment configuration.

[bparees]

yeah again the concept of triggering builds/deployments should really be called out as its own section. It is only tangentially related to managing/maintaining/updating imagestreams+imagestreamtags.

[bparees]

@bmcelvee @sferich888 @mburke5678 if you guys are interested, i'd be happy to have a 15-30 minute BJ session w/ you guys to walk through docker images vs imagestreams vs imagestreamtags, reference tags, etc, if you think it would help you revise this doc.

I might want @soltysh to keep me honest though.

[mburke5678]

Added Working with Image Streams using the Practice section from the Image Stream FAQ docs.

Also, I created the Image Streams section as its own topic to see how folks thought that might work.

[soltysh]

I might want @soltysh to keep me honest though.

If you need me as well, just ping me :)

[soltysh]

More comments.

[soltysh]

_image stream_ <- I think you're missing closing underscore

[soltysh]

s/re-importing/re-import

[soltysh]

s/Docker image sha/Docker image id

SHA is a shorthand for secure hashing algorithm, but the name most frequently use is ID here.

[soltysh]

Import causes a trigger to fire only when there are deployments, builds or other resources listening for those.

[soltysh]

The the internal...

[soltysh]

This value (space) is set...

[soltysh]

@bparees I think we need a piece of doc about the generic trigger. Both @mfojtik and @tnozicka where asking me about it earlier today.

[soltysh]

Maybe link to master-config describing this?

[soltysh]

Missing closing underscore

[mburke5678]

Rewrote that paragraph

[soltysh]

Can this be marked as an advanced topic? Regular users don't need to bother with those implementation details.

[mburke5678]

Added a note below.
"Configuring image stream mappings is an advanced feature."
@soltysh
Do we want to define when a user would need to create an image stream mapping?

[soltysh]

Can we have this describe in only one document and all others will be only pointing to it? I'm confused now.

[mburke5678]

@soltysh Not sure what you are asking. Do we want to move the "working with" concepts into the introductory sections? For ex. this command would go into the "Image Stream Tag" section?

[mburke5678]

@soltysh Bump ^^

[mburke5678]

@zhouying7780 Please take a look at architecture/core_concepts/builds_and_image_streams.adoc. All suggested changes are in that file.
The architecture/core_concepts/mage_streams.adoc is an experiment.

[bparees]

the image stream isn't performing an action. deploymentconfigs+buildconfigs are choosing to watch the imagestream for changes and then take some action if it does change.

[zhouying7780]

Couldn't find the 'The SHA identifier that this image stream tag currently references' ?

[mburke5678]

@zhouying7780 Thank you. I fixed the call-out numbering. The SHA identifier is <4>:
image: sha256:909de62d1f609a717ec433cc25ca5cf00941545c83a01fb31527771e1fab3fc5 <4>

[zhouying7780]

Should be "Image stream tag"

[mburke5678]

@soltysh @bparees Do you have time to take another look? I have made some changes since you last reviewed.

[bparees]

this whole file needs to be renamed, right?

[mburke5678]

@bparees Yeah, I think that the Image Stream section should be its own page. I will see what the others think. You have any thoughts?

[bparees]

yes they should be split out (also you seem to have updated the table of contents to imply there would only be an images page? but i guess you'll want to add a builds entry to the table of contents).

Maybe do that in a follow up PR though, so we can keep this one to getting the content right? There's been a lot of good discussion/review and i don't want to muddy the waters further.

[bparees]

presenta->present a

[bparees]

"An image stream and its associated tags provide an abstraction for referencing Docker images from within OpenShift."

[bparees]

"The image stream and its tags allow you to see what images are available and ensure that you are using the specific image you need even if the image in the repository changes."

[bparees]

Yoyu/you.

[bparees]

importing is not the trigger.

the trigger is "the value of the tag changed". importing can cause the value of the tag to change, but so can pushing a new image to the tag.

[bparees]

above comment still valid (importing is not a trigger, importing can cause the value of the tag to change, which is a trigger if it happens).

also s/Buildss/Builds/

[bparees]

i'm not sure what this means, hopefully @soltysh can clarify.

[bparees]

bump @soltysh

[bparees]

image stream change triggers

[bparees]

s/to/for/

[bparees]

since this glossary appears twice i'm not sure what i'm reviewing anymore. i'm stopping here.

[mburke5678]

@bparees Sorry. This comment must have gotten lost. I was thinking of breaking the Builds and Image Stream topic into two topics. This file is a test and I have not updated it for some time.

[bparees]

can you create a PR where I can actually see the proposed changes, then? this is really frustrating to try to review in its current state.

[mburke5678]

@bparees All proposed changes are in architecture/core_concepts/builds_and_image_streams.adoc. I removed the extraneous document.

[bparees]

this seems out of place since the example imagestream is two paragraphs down.

[bparees]

s/use/uses/

[bparees]

s/registry/repository/

And should add another entry for "docker registry": a content server that can store and service images from docker repositories. example being registry.access.redhat.com

[bparees]

Docker image: A specific set of content that can be run as a container. Usually associated with a particular tag within a docker repository.

[bparees]

Replace with: "A collection of related docker images and tags identifying them"

[bparees]

s/external//

[bparees]

allows you to retrieve metadata about an image from a particular image stream.

[bparees]

The latest image stream tag does not point to the latest image in the Docker repository.

The latest image stream tag does not, in this case, point to the latest image in the Docker repository.

[bparees]

It is important to be aware that the latest image stream tag behaves differently than the Docker latest tag.

It is important to be aware that these latest image stream tags behaves differently than the Docker latest tag.

[bparees]

For example, if the latest image stream tag points to v3.2 of an image, when the 3.3 version is released, the latest tag is not automatically updated to v3.3, and remains at v3.2 until it is manually updated.

For example, if the latest image stream tag points to an image stream tag for v3.2 of an image, when the 3.3 version is released, the latest tag is not automatically updated to v3.3, and remains at v3.2 until it is manually updated to point to a v3.3 image stream tag.

[bparees]

bump @soltysh

[bparees]

and another tag (latest) pointing to a different tag in the same image stream.

and another tag (latest) pointing to the same image because it was created based on the first tag.

[mburke5678]

@bparees Do you have a sample build config and/or deployment config that points to an image stream? Might like to add a sample of how the build/deploy references the image stream.
The Build Inputs -> Image Source section has a buildconfig that uses source.images.from.kind:ImageStreamTag.
https://docs.openshift.com/container-platform/3.6/dev_guide/builds/build_inputs.html#image-source

[mburke5678]

@bparees Do you know if we cover this in the docs? Not sure what I am looking for in how to set image permissions.

[bparees]

probably not explicitly for imagestreams, they are controlled in the same way access is controlled to any resource: https://docs.openshift.org/latest/admin_guide/manage_authorization_policy.html

[mburke5678]

@bparees Is an image stream image simply an image that is referenced in an image stream?

[bparees]

an "imagestreamimage" is an api resource object which pulls together some metadata about a particular image sha.

and yes it mostly exists because there is an imagestream that contains a tag that is currently pointing to that particular image sha.

[mburke5678]

@bparees Is there a general workflow that we can include:

1. In Docker build an image with tag(s).
2. In OCP Create an image stream pointing to the tag.
3. Create a build config or deploy config that used that image stream as a source

[bparees]

@mburke5678 we already have examples of buildconfigs referencing imagestreamtags here:
https://docs.openshift.org/latest/dev_guide/builds/index.html#defining-a-buildconfig

and deploymentconfigs referencing ISTs here:
https://docs.openshift.org/latest/dev_guide/deployments/how_deployments_work.html#creating-a-deployment-configuration

[bparees]

@bparees Is there a general workflow that we can include:
In Docker build an image with tag(s).
In OCP Create an image stream pointing to the tag.
Create a build config or deploy config that used that image stream as a source

I really don't want to get sidetracked into this discussion. We are fixing the documentation of what imagestreams/tags are, not how to use them in a DC or a BC.

[bmcelvee]

The Builds and Deployment links are broken.

[bmcelvee]

s/deployment/Deployment (for consistency)

[bmcelvee]

Also for build/deployment

[bmcelvee]

s/docker/Docker

[bmcelvee]

s/such as a or build configuration or deployment/such as a Build configuration or Deployment...

[bmcelvee]

s/build/Build; s/deploy/Deploy

[bmcelvee]

Since this is the first reference to SHA in this doc, do you think it needs to be defined? If it's common knowledge, it could slide.

[bmcelvee]

The Creating a Deployment Configuration link is broken

[soltysh]

LGTM

[mburke5678]

Email exchange:
Michael Burke | 11:39 AM (21 hours ago)
The OCP 3.2 release notes mention oc tag --scheduled
"To set an image to be imported automatically, use the --scheduled flag with the oc tag command:"
https://docs.openshift.com/enterprise/3.2/release_notes/ose_3_2_release_notes.html#ose-32-image-imports.

Maciej Szulik | 4:00 PM (17 hours ago)
In that case we're good :)

[mburke5678]

[rev_history]
|xref:../architecture/core_concepts/builds_and_image_streams.adoc#architecture-core-concepts-builds-and-image-streams[Builds and Image Streams]
|Added more information to the xref:../architecture/core_concepts/builds_and_image_streams.adoc#image-streams[Image Streams] section.
%

[vikram-redhat]

@mburke5678 - something is not right here. This ifdef doesn't have a closing endif. Also, this seems to cover almost all distros that we have. Does it, and the next ifdef, need to be here if it applies to origin, enterprise, dedicated and online?

[mburke5678]

@vikram-redhat That ifdef was in the file when I started on this issue. I thought the same thing; but, assumed that someone knew better than I. Same with the following one.
Looks like it was added here: Update for atomic registry use case

Thank you for adding the endif back.

[vikram-redhat]

@mburke5678 because this goes into the dedicated and online branches, it should have been conditionalized for enterprise and origin branches only. I have fixed it for dedicated and online.