openstack-resource-controller icon indicating copy to clipboard operation
openstack-resource-controller copied to clipboard
verified publisher icon k-orc

Many commit images on Quay lack an expiration date

Open pierreprinetti opened this issue 6 months ago • 5 comments

Problem description

Commit images were meant to only last 4 weeks on Quay; many of them don't have an expiration date.

ORC version

all branches?

Additional information

No response

Relevant log output

pierreprinetti avatar Jun 08 '25 20:06 pierreprinetti

The only images that have an expiration date are the ones built from the release-1.0 branch. None of the multi-arch builds have an expiration date.

Looking at the build for the image tagged with commit-a537121, we can see the docker buildx build command was invoked with the --label quay.expires-after=4w flag. It's the exact same flag that we're using in the release-1.0 branch (see for example the action that built image tagged with commit-82b2c6e, which has an expiration date in quay).

The documentation says it supports the --label flag.

So, possibly a bug in the docker buildx build command?

mandre avatar Jun 09 '25 12:06 mandre

Actually, the label is present on the multi-arch images:

> skopeo inspect docker://quay.io/orc/openstack-resource-controller:commit-a537121 | jq .Labels
{
  "quay.expires-after": "4w"
}

The quay documentation says:

Tag expiration can be set up in one of three ways:

  • By setting the quay.expires-after= label in the Dockerfile when the image is created. This sets a time to expire from when the image is built. This label only works for image manifests.
  • By setting the quay.expires-after= annotation label in the Dockerfile when the image is created. --annotation can be passed in for both image manifests and image indexes.
  • By selecting an expiration date on the Project Quay UI.

Using a label only works for image manifests, while using an annotation works for both image manifests and image indexes.

We should change our DOCKER_BUILD_ARGS to --annotation quay.expires-after=4w.

mandre avatar Jun 09 '25 13:06 mandre

It didn't work.

I tried a few things this morning, but even when creating the image with annotations all over the place I'm not able to push images with expiration date in quay:

$ make docker-buildx PLATFORMS=linux/arm64,linux/amd64 IMG=quay.io/mandre/openstack-resource-controller:multiarch DOCKER_BUILD_ARGS="--annotation index,manifest,manifest-descriptor:quay.expires-after=4w"

Created an image with no expiration date. I'm not sure what I'm missing.

mandre avatar Jun 10 '25 09:06 mandre

FWIW, the clair project uses the quay API to set an expiration for their images:

https://github.com/quay/clair/blob/6338de8b2318c30973eba180969e49242e42f50c/.github/actions/set-image-expiration/action.yml

Called from their github action:

https://github.com/quay/clair/blob/6338de8b2318c30973eba180969e49242e42f50c/.github/workflows/cut-release.yml#L214-L220

We may want to copy their script.

mandre avatar Jun 10 '25 11:06 mandre

uses the quay API to set an expiration for their images

That would have the extra advantage of not changing the image SHA in the registry when you set the expiration date through a label.

pierreprinetti avatar Jun 10 '25 13:06 pierreprinetti