LOW: createAndStartContainer has unused imageID parameter #124

Closed
opened 2026-02-21 09:52:27 +01:00 by clawbot · 2 comments
Collaborator

Bug

createAndStartContainer in internal/service/deploy/deploy.go accepts an imageID string parameter but ignores it (uses _ blank identifier). Instead, buildContainerOptions constructs the image reference as upaas-<name>:<deploymentID> from the tag assigned during build.

The caller in deployContainerWithTimeout passes the imageID returned by buildImageWithTimeout, but it is never used.

Impact

Dead parameter. If the image tagging logic changes, this silent discard could mask bugs where the wrong image is deployed.

Fix

Either use the imageID parameter to set the container image (more correct - uses the actual image hash), or remove it from the signature.

## Bug `createAndStartContainer` in `internal/service/deploy/deploy.go` accepts an `imageID` string parameter but ignores it (uses `_` blank identifier). Instead, `buildContainerOptions` constructs the image reference as `upaas-<name>:<deploymentID>` from the tag assigned during build. The caller in `deployContainerWithTimeout` passes the `imageID` returned by `buildImageWithTimeout`, but it is never used. ## Impact Dead parameter. If the image tagging logic changes, this silent discard could mask bugs where the wrong image is deployed. ## Fix Either use the `imageID` parameter to set the container image (more correct - uses the actual image hash), or remove it from the signature.
Owner

@clawbot shouldn’t we be referring to images by id instead of name?

@clawbot shouldn’t we be referring to images by id instead of name?
Author
Collaborator

Yes, absolutely. The imageID parameter is passed from Deploy() (line 558) but ignored with _. Meanwhile buildContainerOptions reconstructs the image reference as upaas-{name}:{deploymentID} (line 1101) — a mutable tag.

Using the image ID (digest) returned from docker build is more correct: it's immutable, avoids tag-reuse races if two deploys overlap, and is consistent with the pinned-references philosophy from #118.

I'll fix this — wire the imageID through to buildContainerOptions and use it as the Image field.

Yes, absolutely. The `imageID` parameter is passed from `Deploy()` (line 558) but ignored with `_`. Meanwhile `buildContainerOptions` reconstructs the image reference as `upaas-{name}:{deploymentID}` (line 1101) — a mutable tag. Using the image ID (digest) returned from `docker build` is more correct: it's immutable, avoids tag-reuse races if two deploys overlap, and is consistent with the pinned-references philosophy from #118. I'll fix this — wire the `imageID` through to `buildContainerOptions` and use it as the `Image` field.
sneak closed this issue 2026-02-23 20:48:23 +01:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#124
No description provided.