Uploaded image for project: 'OpenShift Image Registry'
  1. OpenShift Image Registry
  2. IR-263

Document known limitation: `oc adm prune images` will prune manifest lists when only its sub-manifest(s) are referenced

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Minor
    • None
    • None
    • Pruner
    • 5
    • False
    • None
    • False
    • OCPSTRAT-629 - Initial Manifest list support for multi-architecture environments
    • Sprint 232, Sprint 233

    Description

      Acceptance Criteria

      • Documentation that users should reference a manifest list either by tag or digest. Sub-manifests should never be referenced directly [by digest].

      How to observe the limitation (on OCP 4.13 nightly)

      1: Expose your registry and login to it with skopeo:

      oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
REGISTRY=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
skopeo login -u kubeadmin -p 'sha256~<token>' --tls-verify=false $REGISTRY

      2: Create a new project and copy a multi-arch image to it (this will auto-create an image stream for you):

      oc new-project myapp
skopeo copy --dest-tls-verify=false -a docker://docker.io/library/busybox:1.34.0 docker://$REGISTRY/myapp/busybox:latest
oc get is busybox -ojsonpath="{.status}"

      3: Get the amd64 sub-manifest image reference and create a workload using it (this is the part customers SHOULD NOT do - instead they should point to the manifest list)

      IMG=$(oc get images $(oc get istag busybox:latest -ojsonpath="{.image.dockerImageManifests[0].digest}") -ojsonpath="{.dockerImageReference}")

cat <<EOF | oc apply -f -
apiVersion: batch/v1
kind: CronJob
metadata:
  name: hello
spec:
  schedule: "* * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: hello
            image: $IMG
            imagePullPolicy: Always
            command:
            - /bin/sh
            - -c
            - date; echo Hello from the OpenShift cluster
          restartPolicy: OnFailure
EOF

      4: Override the "latest" tag on the busybox image stream:

      skopeo copy --dest-tls-verify=false -a docker://docker.io/library/busybox:1.35.0 docker://$REGISTRY/myapp/busybox:latest
oc get is busybox -ojsonpath="{.status}" # you will see two entries now

      5: Run the pruner (NOTE! this will remove all but one tag event for all image streams in your cluster, make sure you're using a throw-away cluster!):

      oc adm prune images --registry-url=$REGISTRY --all=true --keep-younger-than=5m --keep-tag-revisions=1 --loglevel=4 --confirm

      6: Watch your job start failing:

      oc get pods # you might need to wait up to a minute until any failures start happening

      Attachments

        Issue Links

          is blocked by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. IR-259 As an openshift/client-go user I want to be able to specify that an ImageStream tag refers to a manifest list so that I can import all manifests from it

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              rhn-support-stevsmit Steven Smith
              obulatov@redhat.com Oleg Bulatov
              Wen Wang Wen Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: