docker_image misbehaves in check_mode when using force_source and pull

[jcgruenhage]

SUMMARY

In check mode, docker_image always says the image is changed when using force_source and source: pull, even when that's not actually the case.

ISSUE TYPE

• Bug Report

COMPONENT NAME

docker_image

Further description instead of system, collection and ansible version details

I allowed myself to not post all those details, because I read your module code and it's fairly obvious how this issue comes to be:

• https://github.com/ansible-collections/community.docker/blob/main/plugins/modules/docker_image.py#L465 set's changed to true
• if not in check mode, https://github.com/ansible-collections/community.docker/blob/main/plugins/modules/docker_image.py#L467 tries to pull
• if not in check mode and old and new image hash are the same, https://github.com/ansible-collections/community.docker/blob/main/plugins/modules/docker_image.py#L475 sets changed back to false.

It's not quite trivial to solve this I'm afraid, as fetching the hash of the image on the registry is not implemented here afaict. Any opinions on this?

For context how/why we need this: We have a role that deploys a containerized service, and in the playbook for the test infrastructure, we want to drop a database before running the role if the container image has changed. As the role depends on the result of pulling the container image, we have to run the task in the playbook in check mode and have to do the actual pull inside the role.

STEPS TO REPRODUCE

- hosts: localhost
  become: yes
  tasks:
    - name: Check if new image would be pulled
      docker_image:
        name: "docker.io/nginx"
        source: pull
        state: present
        force_source: true
      register: image_pulled
      until: image_pulled is success
      retries: 10
      delay: 5
      check_mode: true
    - name: some tasks to do before pulling and starting a new container image
      debug:
        msg: "Hello"
      when: image_pulled.changed
    - name: Pull new image
      docker_image:
        name: "docker.io/nginx"
        source: pull
        state: present
        force_source: true
      register: image_pulled
      until: image_pulled is success
      retries: 10
      delay: 5

EXPECTED RESULTS

PLAY [localhost] ******************************************************************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************************************
ok: [localhost]

TASK [Check if new image would be pulled] *****************************************************************************************************************************************************
ok: [localhost]

TASK [some tasks to do before pulling and starting a new container image] *********************************************************************************************************************
skipping: [localhost]

TASK [Pull new image] *************************************************************************************************************************************************************************
ok: [localhost]

PLAY RECAP ************************************************************************************************************************************************************************************
localhost                  : ok=3    changed=0    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0   

ACTUAL RESULTS

PLAY [localhost] ******************************************************************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************************************
ok: [localhost]

TASK [Check if new image would be pulled] *****************************************************************************************************************************************************
changed: [localhost]

TASK [some tasks to do before pulling and starting a new container image] *********************************************************************************************************************
ok: [localhost] => {
    "msg": "Hello"
}

TASK [Pull new image] *************************************************************************************************************************************************************************
ok: [localhost]

PLAY RECAP ************************************************************************************************************************************************************************************
localhost                  : ok=4    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[felixfontein]

This is expected behavior of the module (albeit undocumented), since - as you noticed - it is not possible to implement this without re-implementing parts of the Docker daemon in the module. And even if someone would do that, it won't cover every case since the Docker daemon can run on a random other machine, and the registry might not even be reachable directly from the machine this module runs on.

[jcgruenhage]

If the docker daemon does not provide a way to gather this information, then that's very unfortunate. Maybe expanding the API in that direction would make sense instead?

I've just looked for alternatives, and it seems like the podman_image behaves similarly. skopeo does support working with remote images, but there's no ansible modules available for working directly with skopeo. We'll see how we'll solve this instead :/