Uploaded image for project: 'OpenShift Image Registry'
  1. OpenShift Image Registry
  2. IR-263

Document known limitation: `oc adm prune images` will prune manifest lists when only its sub-manifest(s) are referenced

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Minor Minor
    • None
    • None
    • Pruner
    • BU Product Work
    • 5
    • False
    • None
    • False
    • OCPSTRAT-629 - Initial Manifest list support for multi-architecture environments
    • Sprint 232, Sprint 233

      Acceptance Criteria

      • Documentation that users should reference a manifest list either by tag or digest. Sub-manifests should never be referenced directly [by digest].

      How to observe the limitation (on OCP 4.13 nightly)

      1: Expose your registry and login to it with skopeo:

      oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
REGISTRY=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
skopeo login -u kubeadmin -p 'sha256~<token>' --tls-verify=false $REGISTRY

      2: Create a new project and copy a multi-arch image to it (this will auto-create an image stream for you):

      oc new-project myapp
skopeo copy --dest-tls-verify=false -a docker://docker.io/library/busybox:1.34.0 docker://$REGISTRY/myapp/busybox:latest
oc get is busybox -ojsonpath="{.status}"

      3: Get the amd64 sub-manifest image reference and create a workload using it (this is the part customers SHOULD NOT do - instead they should point to the manifest list)

      IMG=$(oc get images $(oc get istag busybox:latest -ojsonpath="{.image.dockerImageManifests[0].digest}") -ojsonpath="{.dockerImageReference}")

cat <<EOF | oc apply -f -
apiVersion: batch/v1
kind: CronJob
metadata:
  name: hello
spec:
  schedule: "* * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: hello
            image: $IMG
            imagePullPolicy: Always
            command:
            - /bin/sh
            - -c
            - date; echo Hello from the OpenShift cluster
          restartPolicy: OnFailure
EOF

      4: Override the "latest" tag on the busybox image stream:

      skopeo copy --dest-tls-verify=false -a docker://docker.io/library/busybox:1.35.0 docker://$REGISTRY/myapp/busybox:latest
oc get is busybox -ojsonpath="{.status}" # you will see two entries now

      5: Run the pruner (NOTE! this will remove all but one tag event for all image streams in your cluster, make sure you're using a throw-away cluster!):

      oc adm prune images --registry-url=$REGISTRY --all=true --keep-younger-than=5m --keep-tag-revisions=1 --loglevel=4 --confirm

      6: Watch your job start failing:

      oc get pods # you might need to wait up to a minute until any failures start happening

          1.
          		 QE Tracker - IR-263 Sub-task Closed Undefined Wen Wang

              rhn-support-stevsmit Steven Smith
              obulatov@redhat.com Oleg Bulatov (Inactive)
              Wen Wang Wen Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: