search

Azure / acr

Azure Container Registry samples, troubleshooting tips and references
https://aka.ms/acr
Other
162 stars 106 forks source link

Tag and Digest vaule showing same in log editor #734

Open docgurureddy opened 4 months ago

docgurureddy commented 4 months ago

Describe the bug In Log editor, SHA value of image is displayed in both Tag and Digest column. i.e. when a Managed Identity pulls the image from the registry using the tag name (not the SHA name), such as when attempting to build a custom image in Azure DevOps (ADO) by pulling the ACR image with the tag mentioned in the Docker file, the report still shows the SHA value. It's important to note that there are no Kubernetes, cluster, or other services involved in this scenario. It solely revolves around the ADO pipeline using a Docker file, where the image is pulled from ACR with a specified tag.

However, when a user retrieves the ACR registry image with a specified tag from a laptop, the report displays the tag name.

To Reproduce Steps to reproduce the behavior:

  1. pull the ACR image from ADO pipeline my mentioning the image name and with tag name in dockerfile. And try to connect ACR using service connection created with SPN.
  2. Try to find the pull records in log editor and you will notice the log editor records with SHA name insted of tag name in the TAG column.

for more details refere :TrackingID#2401230040009938

Expected behavior Tag name need to be shown under Tag column.

Screenshots Screenhot attached. LogEditor_ACR_Pull_records

Any relevant environment information NA

Additional context Add any other context about the problem here. for more details refere :TrackingID#2401230040009938 LogEditor_ACR_Pull_records

If any information is a concern to post here, you can create a support ticket or send an email to acrsup@microsoft.com.

cegraybl commented 4 months ago

Hello @docgurureddy this is actually a change from the docker client. Since 20.10 the client will do a pull by digest even if the tag is specified.

This is an optimization from the client side to make it simpler to search in the local cache and reduces the number of API calls, but causes this effect where the request sent to the service will be done by digest, and the logs are generated with the information that is received from the client.

You can verify this by testing with a different client, like podman.

docgurureddy commented 4 months ago

Hi @cegraybl, I appreciate the explanation. However, how can I ensure that I obtain the Tag name instead of the SHA value? or, how do I guarantee that the user or client always retrieves the image from the registry rather than the cache?

My requirement is straightforward: if the client or user pulls the image using the tag name, I want the tag name to appear in the log editor for registry operations and maintenance activities.

cegraybl commented 4 months ago

I understand, but in this case the change of behavior comes from the client, the audit logs report on the requests as they are sent and processed by the service.

The Moby project would need to offer an option to revert to the old behavior.