image-pruning: dereference ImageStreamTags

[miminar]

Create strong references to images for each pod/bc/dc/etc that uses <host>/<repo>:tag reference.

Resolves bz#1498604 and https://bugzilla.redhat.com/show_bug.cgi?id=1386917

Images can manually removed using oc delete. Image stream tags having references to these images become obsolete - we may delete them.

To be sure that we don't remove reference to image that has just been created (and we don't know about it), make sure to honor --keep-younger-than.

[miminar]

Based on #16806 and #15807 to make registry extended tests work.

Please review only commits NOT prefixed by extended:.

Let's try it out:
/test extended_image_registry
/test

/assign @dmage @legionus
/cc @bparees

[miminar]

@legionus what do you think?

[bparees]

i'd prefer we report a warning if we can't parse an image reference, but don't prevent pruning. I think we had this conversation before, but my view is that if you don't have valid reference, we shouldn't care what you were trying to reference.

[miminar]

i'd prefer we report a warning if we can't parse an image reference, but don't prevent pruning. I think we had this conversation before, but my view is that if you don't have valid reference, we shouldn't care what you were trying to reference.

I agree. Changed to warning.

[dmage]

I disagree.

There can be two cases:

1. Docker change their policy on references (for example, they may allow the + symbol in tags). And we can change our policy on tags as well. In this case the old version of oc will fail to parse this reference, and it will happily remove images with such references ("graceful fail", yep).

2. Someone able to create a resource with an invalid image reference. This state is bad enough to start investigations. We shouldn't ignore bugs in our code.

[bparees]

if it's not a reference we can parse, then there can be no pods using it, by definition, no?

Whether that's a bug in our code or not doesn't really matter, if we can't parse it, it's not a reference.

And while i agree that the ability to create invalid references is bad(if it were to happen), the fact is the code paths are different (validation vs resolution) and pruning is not the place to reconcile/debug that.

[dmage]

Pruning is a client-side operation and it may have an outdated parser.

[legionus]

Whether that's a bug in our code or not doesn't really matter, if we can't parse it, it's not a reference.

@bparees But if you can't parse reference then you don't add a dependency and you can remove what is used right now.

Is not that a problem?

[legionus]

@miminar It's NAK for me.

[miminar]

This is very fragile IMHO. There are many possible registry hosts that can be used to fetch images from the integrated registry. Currently, this considers just the one determined by the algorithm or passed with --registry-url, which may be totally wrong.

Shall we collect all the possible registry hosts from all the images when we build the graph and match the url against the collected set?

[bparees]

how would you build the set of possible registry hosts that represent the internal registry?

[dmage]

Collecting all hosts from all the images is not enough. In general we can't know which DockerImageReference uses the internal registry. One can pull images through the router.

Even now I can use three names for the integrated registry: 172.30.1.1:5000, docker-registry.default.svc and docker-registry.default.svc.cluster.local. But only one can be specified in p.registryURL.

[bparees]

right, that's why i'm asking how you could build the set of all possible hosts that represent the registry? it doesn't seem possible (or at least reasonably possible) since anyone can create a service or route that points to it and then use that.

So i'm trying to understand what you're proposing doing when you say:

Shall we collect all the possible registry hosts from all the images when we build the graph and match the url against the collected set?

[miminar]

Most of the images pushed to the integrated registry will have $OPENSHIFT_DEFAULT_REGISTRY host name in their dockerImageReference attribute. All of them will be managed (and having managed annotation). There may be even some older managed images having some obsolete registry address. These addresses are most probably being used inside a cluster in deployments, pods, daemonsets, etc.

For the external ones, it's much harder. All we have (sometimes) is the optional --registry-url flag.

What I had in mind is iterating over all managed images and get a set of internal addresses, add the registry-url and docker-registry.default.svc.cluster.local and compare image references against this set.

[miminar]

Looks like this won't pass verification.

[dmage]

But it isn't kept.

Can you extract this part into func tagEventIsPrunable(tagEvent image.TagEvent, g, prunableImageNodes, keepYoungerThan) (ok bool, reason string)?

[miminar]

But it isn't kept.

Good catch, extracted.

[dmage]

p.algorithm is a part of pruner and can be removed from arguments.

[miminar]

p.algorithm is a part of pruner and can be removed from arguments.

Removed.

[dmage]

Why do we need this?

[miminar]

Why do we need this?

In order to dereference imagestreamtag to image, there must be some kind of mapping between the two. It could be regular map[istagname]image. But since we already have the graph, we can utilize it. The fact is that ImageStreamTagNode takes unnecessarily too much memory - we could make the istnode a lot smaller by making it contain just a single string (istagname). Or would you prefer regular map?

[bparees]

I would not have expected --keep-younger-than to apply to pod ages, just image ages. is this well documented?

--keep-younger-than=1h0m0s: Specify the minimum age of an image for it to be considered a candidate for pruning.

I understand the motivation, but i think the behavior would surprise people. I would prefer that we either said "stopped pods don't count as image references" or "prune your stopped pods before pruning your images" instead of this approach of overloading the keep-younger-than arg to "ignore some stopped pods, but count others"

[miminar]

It's poorly documented here. Our official docs say it better:

Do not prune any image that is younger than relative to the current time. Do not prune any image that is referenced by any other object that is younger than relative to the current time. (default 60m)

I'll fix it.

[dmage]

We shouldn't prune an image which is referenced by any other object, should we?

[miminar]

We shouldn't prune an image which is referenced by any other object, should we?

@dmage that's not what we've been doing. I agree that it would be the right thing to do to maintain the integrity. However, we don't have an easy to use pruning solution for all the objects that can reference images.

If we decide to keep the images referenced by any other object regardless of age, let's do it in some other PR. This PR makes it already harder to delete referenced images.

[bparees]

it's not clear (out of context) what this message means. Update it to something like "Ignoring pod %s for image reference counting because it is not running/pending and is older than %age"

[miminar]

Rewritten.

[bparees]

print the namespace for the imagestream too.

[miminar]

The namespace is already part of the streamName: https://github.com/openshift/origin/blob/4fc5ca3/pkg/image/prune/prune.go#L1077

[bparees]

print the IS namespace too.

[bparees]

s/deployment config/daemon set/

[bparees]

s/deployment config/replicaset/

[bparees]

how would you build the set of possible registry hosts that represent the internal registry?

[bparees]

please add a comment here explaining what is happening.

My understanding is something like:

If the pod container spec image reference does not contain a digest(e.g. it i just "docker.io/foo/bar:latest"), attempt to determine an image digest by looking for imagestreamtags that point to the image referenced by this pod container spec, and create a reference between the pod and that image to prevent the image from being pruned.

[miminar]

Commented.

[bparees]

/unassign @knobunc
/assign

[dmage]

NAK

[legionus]

NAK

[miminar]

/hold

[miminar]

@dmage @legionus can you please elaborate?

Update: The point is to error out on invalid image reference. All errors should be collected and reported during the building of graph.

Reason: consider a more benevolent reference parser (e.g. allowing + in the reference). Now consider old oadm client running against newer cluster having images with such a reference. The pruner would ignore such references leading to undesired removals.

~~I'm reworking it. ~~
Update: reworked.

[miminar]

All parsing errors are now collected and reported during the graph build.

I still need to verify the error reporting once I find out, how to inject bad image references into etcd.
Update: I wrote a unit test to capture this.

[miminar]

/test extended_image_registry

[miminar]

/hold cancel

[dmage]

Is it for getRef?

[miminar]

Yes, I'll put a comment there

Update: commented.

[dmage]

Why do you need this timeout?

[miminar]

The code is inspiried by

origin/pkg/oc/cli/cmd/version.go

Line 95 in 50389c0

func (o VersionOptions) RunVersion() error {

. The oc version asks the master for its version with some default timeout.

This call will be much faster than most of the other calls asking for object lists. On the other hand, I don't want to further block error reporting once we know we have failed and master is busy.

Update: changed it to get the timeout from client config

[dmage]

/approve
but I want one more opinion for lgtm :)

[bparees]

/lgtm

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees, dmage, miminar

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/apps/OWNERS [bparees]
• pkg/cmd/OWNERS [bparees]
• pkg/image/OWNERS [bparees]
• pkg/oc/OWNERS [bparees]
• test/testdata/OWNERS [bparees]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-merge-robot]

Automatic merge from submit-queue.

[smarterclayton]

Did this start flaking in master? https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/17035/test_pull_request_origin_unit/5039/ On Oct 31, 2017, at 2:58 AM, OpenShift Merge Robot <[email protected]> wrote: Merged #16821 <#16821>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#16821 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p5EoZWfroSswPhSOr_VnBtT1g0XPks5sxsUAgaJpZM4P25ZY> .

[miminar]

Did this start flaking in master?

Yes, sorry about that. Here's a fix: #17105