docker-tools icon indicating copy to clipboard operation
docker-tools copied to clipboard
verified publisher icon dotnet

Account for missing ACR images for build that only affects a portion of a shared tag

Open mthalman opened this issue 1 year ago • 3 comments

There can be a scenario that will cause the publishManifest command to fail.

Conditions:

  • A .NET version has become EOL and its associated images have been marked with EOL annotations.
  • Dockerfiles for that version have not yet been deleted from the repo.
  • Cleanup pipeline has deleted those EOL images from the ACR.
  • A base image of one of those Dockerfiles (e.g. Debian Bullseye) is updated, but only for a subset of the total set of architectures we have Dockerfiles for (e.g. amd64).
  • AutoBuilder runs a build to rebuild the affected Dockerfiles.

With these conditions, the publishManifest command will fail in the publish stage. This occurs because, when creating the manifest list for the shared tag (e.g. 6.0-bullseye), it needs to query the ACR to get the digests of all the images associated with that that. Since the pipeline didn't rebuild all of the architectures, there is no image for the architecture that was not updated in the ACR. So the query to get that image's digest fails.

The command we currently use to create the manifest list is exemplified by the following:

docker manifest create --amend \
  dotnetdocker.azurecr.io/public/dotnet/runtime-deps:6.0-alpine \
  dotnetdocker.azurecr.io/public/dotnet/runtime-deps:6.0.36-alpine3.20-amd64 \
  dotnetdocker.azurecr.io/public/dotnet/runtime-deps:6.0.36-alpine3.20-arm32v7 \
  dotnetdocker.azurecr.io/public/dotnet/runtime-deps:6.0.36-alpine3.20-arm64v8

We could investigate whether using docker buildx imagetools create --append could be used here instead.

Another lower-cost solution would be to extend the time period we use before deleting EOL images from the ACR. If this was extended past 1 month to allow for the 1 month grace period after the .NET version EOL date, then we could avoid this.

mthalman avatar Dec 04 '24 20:12 mthalman

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

ghost avatar Dec 04 '24 20:12 ghost

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

ghost avatar Dec 04 '24 20:12 ghost

[Triage] A good first step here is to investigate if using docker buildx imagetools create --append will be a simple solution to this issue. Whoever works on https://github.com/dotnet/docker-tools/issues/1510 should investigate this at the same time.

lbussell avatar Dec 09 '24 19:12 lbussell