Ensure that the container is running the patched image
There are three copies of the container image present in the Kubernetes environment during deployment or patching.
The first image copy is created on a local docker instance during image load operation. To check this copy, perform the following:
- Run:
$ docker load -i images/pdk8soptr-17.0.tar.gz
Sample output:
Loaded image: msdp-operator:17.0 - Taking the image name from step 1, run:
$ docker image ls | grep msdp-operator
Sample output:
msdp-operator 17.0 353d2bd50105 2 days ago 480 MB - Taking the value from step 2, run:
$ docker inspect 353d2bd50105 | jq .[].Id
"sha256:353d2bd50105cbc3c61540e10cf32a152432d5173bb6318b8e"
The second copy is created in Azure Container Registry (ACR). To check this copy, perform the following:
- Keep the image name and version same as original, run:
$ docker image tag msdp-operator:17.0 testregistry.azurecr.io/msdp-operator:17.0
- Run:
$ docker image ls | grep msdp-operator
Sample output:
msdp-operator 17.0 353d2bd50105 2 days ago 480 MB tregistry.azurecr.io/msdp-operator 17.0 353d2bd50105 2 days ago 480 MB
- To push the image to the registry, run:
$ docker push testregistry.azurecr.io/msdp-operator
The push refers to a repository [testregistry.azurecr.io/msdp-operator]
0a504041c925: Layer already exists
17.0: digest: sha256:d294f260813599562eb5ace9e0acd91d61b7dbc53c3 size: 2622
- To verify local image digest after the push operation, run:
$ docker inspect 353d2bd50105 | jq .[].RepoDigests
Sample output:
[ "testregistry.azurecr.io/msdp-operator@sha256: d294f260813599562eb5ace9e0acd91d61b7dbc53c3" ]
- To verify image presence in the registry, run:
$ az acr repository list --name testregistry
Sample output:
[ "msdp-operator", ]
- To verify image digest in registry, run:
$ az acr repository show -n testregistry --image msdp-operator:17.0
Sample output:
{ "changeableAttributes": { "deleteEnabled": true, "listEnabled": true, "readEnabled": true, "writeEnabled": true }, "createdTime": "2022-02-01T13:43:26.6809388Z", "digest": "sha256:d294f260813599562eb5ace9e0acd91d61b7dbc53c3", "lastUpdateTime": "2022-02-01T13:43:26.6809388Z", "name": "17.0", "signed": false }
The third copy is located on a Kubernetes node running the container after it is pulled from the registry. To check this copy, do the following:
- Run;
$ kubectl get nodes -o wide
NAME STATUS VERSION INTERNAL-IP OS-IMAGE aks-agentpool-7601-vmss000 Ready v1.21.7 10.240.0.4 Ubuntu 18.04.6 LTS
- Use kubectl debug to run a container on the node:
$ kubectl debug node/aks-nodepool1-7601-vmss000-it --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 root@aks-agentpool-7601-vmss000:/#
- You can interact with the node session from the privileged container:
chroot /host
- Verify the presence of the image:
/usr/local/bin/crictl image | grep msdp
Sample output:
testregistry.azurecr.io/msdp-operator 17.0 353d2bd50105c 182MB
- Verify the image ID on the Kubernetes node, run:
/usr/local/bin/crictl inspecti 353d2bd50105c | jq .[].id
Sample output
"sha256:353d2bd50105cbc3c61540e10cf32a152432d5173bb6318b8e" null
- Verify the image digest on the Kubernetes node, run:
/usr/local/bin/crictl inspecti 353d2bd50105c | jq .[].repoDigests
Sample output
[ "testregistry.azurecr.io/msdp-operator@sha256: d294f260813599562eb5ace9e0acd91d61b7dbc53c3" ] null
Use the steps given above to identify image ID and Digest and compare with values obtained from the registry and the Kubernetes node running the container.
Note:
MSDP Scaleout images (uss-engine, uss-mds, uss-controller, msdp-operator) use IfNotPresent imagePullPolicy. A unique image tag is required in order for a Kubernetes node to pull an updated image.