Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.30.0
-
Fix Version/s: 3.31.0
-
Component/s: Cleanup, Docker, Scheduled Tasks
-
Labels:
-
Story Points:5
-
Sprint:NXRM Neo Sprint 4, NXRM Neo Sprint 5
-
Notability:2
Description
When group deployment (NEXUS-24184) is used, some layers in an uploaded image may come from repositories other than the target hosted repository.
When docker pushes an image, it checks the remote to see if each layer in the image already exists there before uploading. If a layer exists already in another hosted or proxy repository in the group (other than the target deployment one) it will end up being used in the image. In particular, it is not uncommon for some layers to come from docker hub.
If those layers referenced in other repositories are later removed via cleanup policies the original uploaded image will no longer be usable. Note that this not only applies to layers in other hosted repositories, it also can apply to ones in docker hub, it doesn't seem to keep all layers forever (some sort of GC algorithm appears to be used there).
This means that group deployment as currently implemented is fundamentally dangerous, you can end up with an unusable image after cleanups are run.
Expected: We need to come up with a way to make cleanup safe, so that layers in use in by images in hosted repositories are never removed, regardless of which repository they come from.
Attachments
Issue Links
- relates
-
-
- Closed
-
