Problem/Justification
Prolonged and technically unnecessary downtime of app if docker image download is slow or fails during upgrade workflow
Impact
Changing the upgrade behavior from “shutdown app before downloading new image” to “download first, shutdown/upgrade only if successful” would significantly lower app downtime - especially in cases where connectivity to Docker Hub is impaired (for instance, DTAG’s AS3320 is known to regularly have extremely slow peering to CloudFlare).
User Story
User would notice significantly lower app downtime and no immediate need to intervene in case of download failure