Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-27014

cleanup policies and tasks do not fully consider Docker layers can be referenced by manifests in other repositories

    XMLWordPrintable

    Details

      Description

      When group deployment (NEXUS-24184) is used, some layers in an uploaded image may come from repositories other than the target hosted repository.

      When docker pushes an image, it checks the remote to see if each layer in the image already exists there before uploading. If a layer exists already in another hosted or proxy repository in the group (other than the target deployment one) it will end up being used in the image. In particular, it is not uncommon for some layers to come from docker hub.

      If those layers referenced in other repositories are later removed via cleanup policies the original uploaded image will no longer be usable. Note that this not only applies to layers in other hosted repositories, it also can apply to ones in docker hub, it doesn't seem to keep all layers forever (some sort of GC algorithm appears to be used there).

      This means that group deployment as currently implemented is fundamentally dangerous, you can end up with an unusable image after cleanups are run.

      Expected: We need to come up with a way to make cleanup safe, so that layers in use in by images in hosted repositories are never removed, regardless of which repository they come from.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jhill Joshua Hill
              Reporter:
              jhill Joshua Hill
              Last Updated By:
              Michael Bucher Michael Bucher
              Team:
              NXRM - Neo
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title