Image Lifecycles

Those images are owned by ODS admins. Examples of such images include the SonarQube image and the Nexus image. All of the images used by containers in the central ODS namespace are built by ODS during its installation. No container uses a vanilla image as provided by e.g. DockerHub or quay.io.

Each image is created through a BuildConfig, and placed into an ImageStream. The BuildConfig defines which Dockerfile is used, and which base image is used to build from. The base image can be pulled from DockerHub (e.g. in case of SonarQube or Nexus), but it can also be from another registry (e.g. in case for the Jenkins Master image, it might be from registry.access.redhat.com or registry.redhat.io).

The images are built during installation or upgrade of ODS, and tagged with the value of the configuration parameter ODS_IMAGE_TAG. Once an image has been built, it is not changed until a new build is triggered - that means that even if the base image changes, it has no effect on the images in the central ODS namespaces unless an admin triggers a new build for that image. Further, a new image does not necessarily equal an update to the deployment. Admins have to ensure that new deployments are rolled out so that the new images get picked up.

Those images are also owned by ODS admins, and also built in the central ODS namespace like the first category, but the deployments are running in each ODS project. The images in this catgeory are the Jenkins related images (master, agents, webhook-proxy), and potentially also the image for the document generation service.

Note that building a new image in the central ODS namespace does not equal an update of the deployments in each *-cd project. This is because no image triggers are defined on the DeploymentConfig resources. While having such a trigger sounds convenient at first, it is actually not desirable. The main reason is that the rollouts started from an image trigger cannot be controlled, leading to simultaneous restarts which runs the risk of putting a huge amount of load on the cluster.

A downside of not having a trigger is that it is cumbersome for ODS admins to rollout bugfixes and security patches to running instances such as the Jenkins Master or the webhook proxy. At the moment, there is no easy, automated, solution to this. However, you might be interested in an experimental tool, oc-batch-rollout, which allows admins to trigger rollouts in a controlled fashion.

Those images are owned by ODS users and are built using BuildConfig resources in the respective namespace. The build is triggered from the Jenkins pipeline. The BuildConfig refers to a Dockerfile in the application repository, which refers to an image (typically from DockerHub) in its FROM instruction.

Which image gets pulled from DockerHub is completely dependent on which image tag is specified in the FROM instruction. Authors of the Dockerfile are free to be as specific or inspecific as they want, e.g. they could point to the latest tag or use a more stable version published by the base image owner.

Therefore, updates to the base image of application images take effect on every build. Once an application runs in a pod though, its image is not automatically updated when the base image changes in DockerHub.

Also it is important to note that updates to the Dockerfile in a quickstarter have no effect on an application, even if the application was originally provisioned using that same quickstarter. The reason is that there is no ongoing link between a quickstarter (which is like a template) and the created component (which is like an instance).