Imagestream tag exclude from pruning - using object selection #17511
Conversation
|
@deads2k are you going to write the docs for this approach (@legionus already wrote docs for the earlier implementation)? Are you going to work w/ QE to update their tests and shepherd it through the rest of the process since the design has changed? I know you think this is trivial, but you're creating significant churn on our side that you seem unwilling to acknowledge. Also from what I see this approach does not currently offer a way to ignore immunity(let alone selectively ignore it), which is another advantage of the regex approach. |
Ignoring immunity is essentially the same as removing a label or an annotation. With either implementation it requires a modification to perform selectively. To perform non-selectively, you can simply remove labels globally. As with the rest of our API objects, the ACL boundary is the namespace.
If need be, yes. I would prefer to do that and gain the benefits described in the bugzilla along with consistency of experience when using the CLI. My preference would be for broad CLI changes introducing new patterns or deviating from existing patterns to be subject to review in the broad sense and individual commands to maintained separately. This would mirror the approach upstream, where additions using existing patterns are subject to cursory review by sig-cli-leads and involved changes are more heavily scrutinized. I don't think that juan or fabiano are pruning experts, but the experience they are trying to cultivate and maintain for consistency within If I need to own the card end-to-end, I can do so. However, I think we'd be better served in the end to grow the knowledge about common patterns and user experience across the teams which own particular commands. Consistency in these areas makes using new commands easier and knowledge of the general patterns gives more confidence when adding CLI features. |
i still don't agree that finding and updating N server side objects is easier or better than tweaking a few regexes locally (or not passing the regex at all to disable immunity). |
@bparees without the immunity being set on namespaces/imagestreams, each time the user attempts to prune manually, he needs to remember all namespaces/imagestreams he wants to preserve and write it down into a regexp on command-line, which gets tedious. I know that being able to write this regexps into a file and passing it to the command helps, but the user still needs to remember he has some namespaces/istags he wants to protect. IMHO the namespace immunity won't change easily over time - company will want particular namespaces/imagestreams to protect against pruning in any case. Setting the label once and not needing to care about it anymore is a much more convenient solution to the problem. |
|
Building upon this approach also allows for per namespace/is pruning options. E.g. keep this X tag revisions in proj/myapp and X+2 revisions in proj/myprecious. |
| @@ -351,8 +365,18 @@ func (p *pruner) addImageStreamsToGraph(streams *imageapi.ImageStreamList, limit | |||
| continue | |||
| } | |||
|
|
|||
| isNamespaceEligible := p.namespacesToPrune.Has(stream.Namespace) | |||
| doesNamespaceAllowImmunity := p.namespacesToAllowImmunity.Has(stream.Namespace) | |||
| isISTagImmune := stream.Spec.Tags[tag].Annotations[protectionAnnotation] == "true" | |||
There was a problem hiding this comment.
I'd welcome per-imagestream control as well. Where istag's annotation overrides is' annotation.
There was a problem hiding this comment.
I'd welcome per-imagestream control as well. Where istag's annotation overrides is' annotation.
It's easy enough to add, but the initial use-case didn't request it. @miminar could it be a followup?
@soltysh @fabianofranz @juanvallejo add it or no?
There was a problem hiding this comment.
👍 for adding it (can be followup). IIRC discussions in the topic it was about both IS and ISTag to be excluded from pruning.
pkg/oc/admin/prune/images.go
Outdated
| @@ -162,6 +170,7 @@ func NewCmdPruneImages(f *clientcmd.Factory, parentName, name string, out io.Wri | |||
| cmd.Flags().StringVar(&opts.CABundle, "certificate-authority", opts.CABundle, "The path to a certificate authority bundle to use when communicating with the managed Docker registries. Defaults to the certificate authority data from the current user's config file. It cannot be used together with --force-insecure.") | |||
| cmd.Flags().StringVar(&opts.RegistryUrlOverride, "registry-url", opts.RegistryUrlOverride, "The address to use when contacting the registry, instead of using the default value. This is useful if you can't resolve or reach the registry (e.g.; the default is a cluster-internal URL) but you do have an alternative route that works. Particular transport protocol can be enforced using '<scheme>://' prefix.") | |||
| cmd.Flags().BoolVar(&opts.ForceInsecure, "force-insecure", opts.ForceInsecure, "If true, allow an insecure connection to the docker registry that is hosted via HTTP or has an invalid HTTPS certificate. Whenever possible, use --certificate-authority instead of this dangerous option.") | |||
| cmd.Flags().StringVarP(&opts.NamespacesToPruneSelector, "selector", "l", "", "Selector (label query) to filter on, not including uninitialized ones, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2).") | |||
There was a problem hiding this comment.
I would turn the e.g. part into a full example.
There was a problem hiding this comment.
I would turn the e.g. part into a full example.
Not sure I understand. Those are valid examples.
pkg/oc/admin/prune/images.go
Outdated
| @@ -104,19 +106,24 @@ var ( | |||
| defaultKeepYoungerThan = 60 * time.Minute | |||
| defaultKeepTagRevisions = 3 | |||
| defaultPruneImageOverSizeLimit = false | |||
|
|
|||
| // TODO choose final name and promote to API | |||
| protectionLabel = "image.openshift.io/allow-prune-immunity" | |||
There was a problem hiding this comment.
Can it be more general? (e.g. openshift.io/allow-prune-immunity). We have pruners for resources other than image.
There was a problem hiding this comment.
Can it be more general? (e.g. openshift.io/allow-prune-immunity). We have pruners for resources other than image.
I would rather start specific and move out to generality. Pruning isn't a well explored space yet. See how deployments do it as a counter example.
|
/cc @geliu2016 |
openshift-merge-robot
added
the
needs-rebase
Yep. |
deads2k
force-pushed
the
image-11-prune
branch
from
2dca02b to
2bfa8b9
Compare
openshift-ci-robot
added
approved
openshift-merge-robot
removed
the
needs-rebase
|
@soltysh @miminar I have rebased. I like the suggestion of respecting the flag set on an imagestream, but I'd like to move the bulk of the work and circle back to it. Perhaps @juanvallejo could pick it up and work through the test matrix? |
deads2k
force-pushed
the
image-11-prune
branch
from
2bfa8b9 to
30a2a0e
Compare
|
/retest |
1 similar comment
|
/retest |
deads2k
force-pushed
the
image-11-prune
branch
2 times, most recently
from
681aa6b to
f8f07d0
Compare
|
/retest |
deads2k
force-pushed
the
image-11-prune
branch
from
f8f07d0 to
7f60fe8
Compare
| @@ -55,6 +55,9 @@ const ( | |||
| // ReferencedImageLayerEdgeKind defines an edge from an ImageStreamNode or an | |||
| // ImageNode to an ImageComponentNode. | |||
| ReferencedImageLayerEdgeKind = "ReferencedImageLayer" | |||
|
|
|||
| // TODO choose final name and promote to API | |||
| protectionAnnotation = "image.openshift.io/prune-immunity" | |||
There was a problem hiding this comment.
@openshift/api-review ptal (yes David I know it's you, but also others 😉)
There was a problem hiding this comment.
@openshift/api-review ptal (yes David I know it's you, but also others )
Fair. :)
|
The implementation itself lgtm, I'm ok with @juanvallejo working on the followup. Just need to make it in a working state. |
|
/retest to see if it stumbles on the same imagestreams. |
| @@ -166,6 +186,7 @@ func NewCmdPruneImages(f *clientcmd.Factory, parentName, name string, out io.Wri | |||
| cmd.Flags().StringVar(&opts.RegistryUrlOverride, "registry-url", opts.RegistryUrlOverride, "The address to use when contacting the registry, instead of using the default value. This is useful if you can't resolve or reach the registry (e.g.; the default is a cluster-internal URL) but you do have an alternative route that works. Particular transport protocol can be enforced using '<scheme>://' prefix.") | |||
| cmd.Flags().BoolVar(&opts.ForceInsecure, "force-insecure", opts.ForceInsecure, "If true, allow an insecure connection to the docker registry that is hosted via HTTP or has an invalid HTTPS certificate. Whenever possible, use --certificate-authority instead of this dangerous option.") | |||
| cmd.Flags().BoolVar(opts.PruneRegistry, "prune-registry", *opts.PruneRegistry, "If false, the prune operation will clean up image API objects, but the none of the associated content in the registry is removed. Note, if only image API objects are cleaned up through use of this flag, the only means for subsequently cleaning up registry data corresponding to those image API objects is to employ the 'hard prune' administrative task.") | |||
| cmd.Flags().StringVarP(&opts.NamespacesToPruneSelector, "selector", "l", "", "Selector (label query) to filter on, not including uninitialized ones, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2).") | |||
There was a problem hiding this comment.
Help should mention that the selector selects namespaces.
|
/test end_to_end |
|
@deads2k digged into the failed test, I think all 4 image streams that failed to update have one thing in common. They were all I wonder if we default the I guess this is a separate issue, so we can opt-out the failing image streams ( Wild guess: we don't validate the ImageStreamMappings for the |
|
@deads2k PR needs rebase |
openshift-merge-robot
added
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
@bparees @openshift/sig-developer-experience were there any progress on determining the root cause of why certain image streams cannot be annotated (iow. we store the corrupted object in etcd) ? |
|
/retest |
|
@deads2k: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@mfojtik it has always been this way, see my comment here where this was found and "worked around" (by setting the reference policy explicitly): it's effectively by design, see the entire discussion (including comment from clayton) here: and my PR to at least make the error message clearer: |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
Alternative to #16580.
To help clarify comments in #16580, https://bugzilla.redhat.com/show_bug.cgi?id=1410018, and openshift/api#9 I have put together a complete pull which adds the ability to protect namespaces and/or individual imagestreamtags based on our standard label and field selection techniques. This pull allows flows like this:
I'd still prefer to label the istag instead of using the equivalent of a field selector, but this gets the job done without any API changes.
@bparees @smarterclayton @mfojtik @openshift/cli-review