|
| 1 | +--- |
| 2 | +title:"How to: Upgrade Deprecated Docker Images in Classic Pipelines" |
| 3 | +description:"Find and upgrade deprecated Docker v1 and schema 1 images to support docker-27 runner in Classic Pipelines." |
| 4 | +group:kb |
| 5 | +sub-group:articles |
| 6 | +toc:true |
| 7 | +kb:false |
| 8 | +ht:true |
| 9 | +common:false |
| 10 | +categories:[Pipelines] |
| 11 | +support-reviewed:2025-07-14 AA |
| 12 | +--- |
| 13 | + |
| 14 | +#How to: Upgrade to the newer classic docker-27 runner |
| 15 | +As part of our ongoing platform upgrades, we’re moving to a newer classic runner version based |
| 16 | +on docker ver 27. This change deprecates older Docker image formats, and you may need to |
| 17 | +identify and upgrade deprecated images in your pipelines. |
| 18 | + |
| 19 | +This guide will help you: |
| 20 | + |
| 21 | +1. Identify deprecated Docker images in your Classic Pipelines. (Step 1) |
| 22 | + |
| 23 | +2. Upgrade those images to a modern, supported format. (Step 2) |
| 24 | + |
| 25 | +###Step 1: Find Deprecated Docker Images |
| 26 | +There are two recommended approaches to identify deprecated images in your Classic |
| 27 | +Pipelines. |
| 28 | + |
| 29 | +####Analyze Build Logs |
| 30 | + |
| 31 | +This method scans historical build logs for deprecation warnings. |
| 32 | + |
| 33 | +**How it works:** |
| 34 | + |
| 35 | +Latest versions of dind print deprecation warning into build logs each time Docker daemon |
| 36 | +tries to pull a deprecated image. |
| 37 | + |
| 38 | +**Example:** |
| 39 | +``` |
| 40 | +[DEPRECATION NOTICE] Docker Image Format v1 and Docker Image manifest |
| 41 | +version 2, schema 1 support is disabled by default... |
| 42 | +``` |
| 43 | + |
| 44 | +Use the following script to scan logs and extract deprecated image names:[Find deprecated images used in previous builds](https://gist.github.com/francisco-cocozza/6046028184cc12b5ee4513bdcb4217c5) |
| 45 | + |
| 46 | +💡 For large-scale environments with thousands of builds, we offer a more scalable, |
| 47 | +metrics-based detection method. See Appendix I for details. |
| 48 | + |
| 49 | +###Step 2: Upgrade Deprecated Docker Images |
| 50 | +Once you’ve identified deprecated images using engine metrics, the next step is to upgrade |
| 51 | +those images to a modern format (OCI or Docker manifest v2, schema 2). This is required to |
| 52 | +ensure compatibility with docker-27 and future releases. |
| 53 | + |
| 54 | +####How It Works |
| 55 | + |
| 56 | +Re-pushing an image using a modern Docker client will automatically convert its manifest to a |
| 57 | +supported version. |
| 58 | + |
| 59 | +####Sample Codefresh Pipeline to Upgrade an Image |
| 60 | + |
| 61 | +You can automate this process with a Codefresh pipeline like the one below: |
| 62 | + |
| 63 | +``` |
| 64 | +1. version: "1.0" |
| 65 | +2. |
| 66 | +3. steps: |
| 67 | +4. push: |
| 68 | +5. title: "Re-pushing deprecated image" |
| 69 | +6. type: push |
| 70 | +7. candidate: <source-image-name> |
| 71 | +8. registry: <target-registry> |
| 72 | +9. tag: <target-tag> |
| 73 | +10. image_name: <target-image-name> |
| 74 | +11. |
| 75 | +12. # Example: |
| 76 | +13. # push: |
| 77 | +14. # title: "Re-pushing deprecated image" |
| 78 | +15. # type: push |
| 79 | +16. # candidate: docker/whalesay:latest |
| 80 | +17. # registry: docker |
| 81 | +18. # tag: new-manifest |
| 82 | +19. # image_name: codefresh/whalesay |
| 83 | +``` |
| 84 | + |
| 85 | +This pulls the deprecated image and re-pushes it under a new name/tag with a compliant |
| 86 | +manifest format. |
| 87 | + |
| 88 | +💡 You can repeat this process for each deprecated image discovered via metrics or logs. |
| 89 | + |
| 90 | +##Appendix I: |
| 91 | + |
| 92 | +###Monitor Engine Metrics |
| 93 | + |
| 94 | +This method enables scalable detection of deprecated images by using real-time engine |
| 95 | +metrics. Recommended for high-volume or automated environments. |
| 96 | + |
| 97 | +####Monitor engine metrics |
| 98 | + |
| 99 | +Starting from Runtime v7.5.0, engine emits |
| 100 | +codefresh_engine_deprecated_images_pulled_total{ account_name, |
| 101 | +pipeline_id, workflow, image_name } metric, which should be monitored to detect |
| 102 | +deprecated images pulled within DIND. |
| 103 | + |
| 104 | +This metric is a counter increased by 1 each time Docker daemon pulls a deprecated image. |
| 105 | + |
| 106 | +####How to enable |
| 107 | + |
| 108 | +Set the following values for the Hybrid Runtime Chart: |
| 109 | + |
| 110 | +``` |
| 111 | +1. runtime: |
| 112 | +2. engine: |
| 113 | +3. env: |
| 114 | +4. METRICS_PROMETHEUS_ENABLED: true |
| 115 | +5. podMonitor: |
| 116 | +6. main: |
| 117 | +7. enabled: true |
| 118 | +``` |
| 119 | + |
| 120 | +Before normal shutdown, the engine pod waits for the scrape of the metrics. This helps ensure |
| 121 | +that the latest metric values are not missed. |
| 122 | + |
| 123 | +The timeout is controlled by the METRICS_PROMETHEUS_SCRAPE_TIMEOUT engine variable. If |
| 124 | +you want to be sure that the Prometheus operator will scrape the latest metric values before the |
| 125 | +engine exits, we recommend setting this variable to 4 times your scrape interval. |
| 126 | + |
| 127 | +To do so, adjust your Hybrid Runtime Chart values: |
| 128 | + |
| 129 | +``` |
| 130 | +1. runtime: |
| 131 | +2. engine: |
| 132 | +3. env: |
| 133 | +
|
| 134 | +4. # Timeout in ms |
| 135 | +5. METRICS_PROMETHEUS_SCRAPE_TIMEOUT: '120000' |
| 136 | +``` |
| 137 | + |
| 138 | +####How to monitor |
| 139 | + |
| 140 | +Installation of the monitoring stack is up to the customer and not covered by our support. |
| 141 | + |
| 142 | +This section provides very basic instructions suitable for the purpose of this doc, however, they |
| 143 | +may not meet customer’s long-term production needs and may require some adjustment by the |
| 144 | +end user. |
| 145 | + |
| 146 | +If the monitoring stack is not installed in the target cluster, the easiest way is to install |
| 147 | +kube-prometheus-stack Chart: |
| 148 | +[kube-prometheus-stack 75.6.2 · prometheus/prometheus-community](https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack) |
| 149 | + |
| 150 | +While installing, please consider enabling persistence for the Prometheus operator so that |
| 151 | +collected metrics are not purged on node rotation. Please follow the[official docs](https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack?modal=values&path=prometheus.prometheusSpec.storageSpec) for details |
| 152 | +(check prometheus.prometheusSpec.storageSpec value). |
| 153 | + |
| 154 | +####Example installation |
| 155 | + |
| 156 | +**kube-prom-storage-class.yaml** |
| 157 | + |
| 158 | +``` |
| 159 | +1. # kube-prom-storage-class.yaml |
| 160 | +2. |
| 161 | +3. apiVersion: storage.k8s.io/v1 |
| 162 | +4. kind: StorageClass |
| 163 | +5. metadata: |
| 164 | +6. name: kube-prom |
| 165 | +7. provisioner: kubernetes.io/aws-ebs |
| 166 | +8. parameters: |
| 167 | +9. type: gp3 |
| 168 | +``` |
| 169 | + |
| 170 | +**kube-prom-values.yaml** |
| 171 | + |
| 172 | +``` |
| 173 | +1. # kube-prom-values.yaml |
| 174 | +2. |
| 175 | +3. prometheus: |
| 176 | +4. prometheusSpec: |
| 177 | +5. podMonitorSelectorNilUsesHelmValues: false |
| 178 | +6. serviceMonitorSelectorNilUsesHelmValues: false |
| 179 | +7. storageSpec: |
| 180 | +8. volumeClaimTemplate: |
| 181 | +9. spec: |
| 182 | +10. storageClassName: kube-prom |
| 183 | +11. accessModes: ["ReadWriteOnce"] |
| 184 | +12. resources: |
| 185 | +13. requests: |
| 186 | +14. storage: 20Gi |
| 187 | +15. grafana: |
| 188 | +16. persistence: |
| 189 | +17. storageClassName: kube-prom |
| 190 | +18. enabled: true |
| 191 | +19. datasources: |
| 192 | +20. datasources.yaml: |
| 193 | +21. apiVersion: 1 |
| 194 | +22. datasources: |
| 195 | +23. - name: Mimir API |
| 196 | +24. type: marcusolsson-json-datasource |
| 197 | +25. uid: Mimir-API |
| 198 | +26. access: proxy |
| 199 | +27. url: http://kube-prom-kube-prometheus-prometheus:9090/api/v1 |
| 200 | +28. plugins: |
| 201 | +29. - marcusolsson-json-datasource |
| 202 | +``` |
| 203 | + |
| 204 | +###Helm installation |
| 205 | + |
| 206 | +``` |
| 207 | +1. helm repo add prometheus-community https://prometheus-community.github.io/helm-charts |
| 208 | +2. helm repo update |
| 209 | +3. helm install kube-prom prometheus-community/kube-prometheus-stack --create-namespace --namespace kube-prom -f ./kube-prom-values.yaml |
| 210 | +``` |
| 211 | + |
| 212 | +Please follow instructions provided by Helm after successful installation to get access to the |
| 213 | +newly installed Grafana instance: |
| 214 | + |
| 215 | +``` |
| 216 | +1. kubectl --namespace kube-prom get pods -l "release=kube-prom" |
| 217 | +2. kubectl --namespace kube-prom get secrets kube-prom-grafana -o jsonpath="{.data.admin-password}" | base64 -d ; echo |
| 218 | +3. export POD_NAME=$(kubectl --namespace kube-prom get pod -l "app.kubernetes.io/name=grafana,app.kubernetes.io/instance=kube-prom" -oname) |
| 219 | +4. kubectl --namespace kube-prom port-forward $POD_NAME 3000 |
| 220 | +``` |
| 221 | + |
| 222 | +You can now log in to Grafana athttp://localhost:3000 as an admin user. Double-check the |
| 223 | +instructions above for the password. |
| 224 | + |
| 225 | +###Verifying metrics |
| 226 | + |
| 227 | +To ensure that engine metrics are collected correctly, run some build on the Runtime |
| 228 | +under monitoring. Login to Grafana, open “Explore → Metrics” in the left-hand menu. |
| 229 | +Type codefresh_ in “Search” field, ensure that time range covers at least one running |
| 230 | +build. You will see a list of available metrics. |
| 231 | + |
| 232 | +{% include |
| 233 | +image.html |
| 234 | +lightbox="true" |
| 235 | +file="/images/troubleshooting/before-verify.png" |
| 236 | +url="/images/troubleshooting/before-verify.png" |
| 237 | +alt="codefresh_no_such_file_directory.png" |
| 238 | +max-width="70%" |
| 239 | +%} |
| 240 | + |
| 241 | +##How to use/understand metrics |
| 242 | + |
| 243 | +codefresh_engine_deprecated_images_pulled_total metric is a counter increased |
| 244 | +by 1 each time Docker daemon pulls a deprecated image. Labels {account_name, |
| 245 | +pipeline_id, workflow, image_name} allow you to group results. |
| 246 | + |
| 247 | +##Grafana dashboard |
| 248 | + |
| 249 | +Easiest way to analyze data — to use the attached Grafana dashboard. |
| 250 | + |
| 251 | +1\. Download[this Grafana dashboard json](../../grafana-dashboard.json) <br> |
| 252 | +2\. Login to Grafana <br> |
| 253 | +3\. Open “Dashboards → New → Import” <br> |
| 254 | + |
| 255 | +{% include |
| 256 | +image.html |
| 257 | +lightbox="true" |
| 258 | +file="/images/troubleshooting/import-dashboard.png" |
| 259 | +url="/images/troubleshooting/import-dashboard.png" |
| 260 | +alt="codefresh_no_such_file_directory.png" |
| 261 | +max-width="70%" |
| 262 | +%} |
| 263 | + |
| 264 | +4\. Upload Dashboard JSON <br> |
| 265 | +5\. Select “Select a JSON API data source → Mimir API”. Click “Import” |
| 266 | + |
| 267 | +{% include |
| 268 | +image.html |
| 269 | +lightbox="true" |
| 270 | +file="/images/troubleshooting/select-api-source.png" |
| 271 | +url="/images/troubleshooting/select-api-source.png" |
| 272 | +alt="codefresh_no_such_file_directory.png" |
| 273 | +max-width="70%" |
| 274 | +%} |
| 275 | + |
| 276 | +6\. Done! 🎉 |
| 277 | + |
| 278 | +Deprecated Images Dashboard overview |
| 279 | + |
| 280 | +{% include |
| 281 | +image.html |
| 282 | +lightbox="true" |
| 283 | +file="/images/troubleshooting/deprecated-images-overview.png" |
| 284 | +url="/images/troubleshooting/deprecated-images-overview.png" |
| 285 | +alt="codefresh_no_such_file_directory.png" |
| 286 | +max-width="70%" |
| 287 | +%} |
| 288 | + |
| 289 | +On the screenshot above: |
| 290 | + |
| 291 | +1. Filter by account name. |
| 292 | +2. Time range. |
| 293 | +3. Account name (build owner). Link leads to the Admin Panel. |
| 294 | +4. Deprecated image name. |
| 295 | +5. Pipeline ID where pull was detected. |
| 296 | + |
| 297 | +##Query Prometheus metric |
| 298 | + |
| 299 | +You can query codefresh_engine_deprecated_images_pulled_total metric directly. |
| 300 | +Consider the following query, that returns per second rate of deprecated images pulls, |
| 301 | +aggregated by account ID, pipeline ID, build and image: |
| 302 | + |
| 303 | +``` |
| 304 | +1. sum( |
| 305 | +2. rate( |
| 306 | +3. codefresh_engine_deprecated_images_pulled_total |
| 307 | +4. [$__rate_interval]) |
| 308 | +5. ) by (account_name, pipeline_id, workflow, image_name) |
| 309 | +``` |
| 310 | + |
| 311 | +{% include |
| 312 | +image.html |
| 313 | +lightbox="true" |
| 314 | +file="/images/troubleshooting/deprecated-images.png" |
| 315 | +url="/images/troubleshooting/deprecated-images.png" |
| 316 | +alt="codefresh_no_such_file_directory.png" |
| 317 | +max-width="70%" |
| 318 | +%} |
| 319 | + |
| 320 | +Deprecated images docker.io/tutum/dnsutils:latest and docker.io/docker/whalesay:latest |
| 321 | +has been pulled in Pipeline #67867cfe8307bd8f9b7b034e |
| 322 | + |
| 323 | +http://docker.io/tutum/dnsutils:latest |
| 324 | +http://docker.io/docker/whalesay:latest |
| 325 | + |
| 326 | + |