Updating OCI images in Incus with Tofu/Terraform

• February 10, 2025
• 309 words
• 2 min

TL;DR: github.com/PriceChild/terraform-incus-oci-image-updating will update docker/oci images when applying.

I deploy to Incus containers and take advantage of it's support for OCI (Docker) images to avoid running Docker as well. I deploy using tofu/terraform and the incus provider which seems to have a small drawback around keeping images updated.

My previous system used Ansible to install Systemd services to manage Docker containers. A unit such as the following would update the image on each start, while also restarting it on a timer:

[Unit]
Description=Random Service
After=docker.service
Requires=docker.service

[Service]
ExecStartPre=/usr/bin/docker pull image_name:latest
ExecStart=/usr/local/bin/systemd-docker \
	--cgroups name=systemd --cgroups=cpu \
	run --rm --name %n \
	-v /my-service-data/:/data/  \
	-p 80:80 \
	image_name
ExecStartPost=/usr/bin/docker image prune -f
Restart=always
RestartSec=10s
Type=notify
NotifyAccess=all
TimeoutStartSec=120
TimeoutStopSec=15
RuntimeMaxSec=86400

[Install]
WantedBy=multi-user.target

Since moving to Incus I've deployed via Tofu. When using the Incus provider's resource.incus_image, an image is downloaded and named with it's fingerprint by default. If you used a docker tag such as latest, the incus image doesn't seem to be updated even if a new image is pushed to the remote by the maintainer.

Using the pattern in github.com/PriceChild/terraform-incus-oci-image-updating ensures that each time you hit tofu apply, the docker hub api is checked for the tag's latest fingerprint. The image resource is then replaced if necessary and dependent instances can be restarted based on the new image.

module "go-vod_image" {
  source = "github.com/PriceChild/terraform-incus-docker-image-updating?ref=0.0.1"
  docker_image = "radialapps/go-vod"
}

resource "incus_instance" "go-vod" {
    name      = "go-vod"
    image     = module.go-vod_image.fingerprint
}

I believe my problem with the basic Incus/module functionality is that despite fetching images by a docker tag, this is translated to a fingerprint which is then stored in your state. That fingerprint doesn't change, so the image is never updated.

Incus can auto-update images based on aliases, but I believe this is limited to Simple streams servers & other Incus servers? I'd love to be proven wrong...