Open HenryvanderVegte opened 1 week ago
Hi @HenryvanderVegte,
2.245.5 is not the latest Azure CLI(2.64.0).
If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.
Thank you for opening this issue, we will look into it.
Here are some similar issues that might help you. Please check if they can solve your problem.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @toddysm, @luisdlp, @northtyphoon.
cc @nathana1
Describe the bug
When running az acr import like
to copy the image by tag (e.g. 'latest') from sourceacr to targetacr, there is a race condition when the manifest for the tag in the source registry changes while the az acr import command is in progress.
In that case, the 'az acr import' command completes without any errors. However,
docker pull
fails withLooking into the azure ACR I can see the tag + digest:
but receive a 404 NotFound error when trying to fetch the manifest:
I believe this is the same issue that was described in https://github.com/Azure/azure-cli/issues/21944.
As described in https://github.com/Azure/azure-cli/issues/21944, this is very dangerous if the ACR is used by a kubernetes cluster, since it results in pod startup issues with ImagePullBackoff errors.
Related command
Here's a timeline of all commands that ran to bring the ACR in a bad state:
1) myimage:142506623 with digest 02f3... pushed to source acr and gets tagged with latest
2) az acr import to target registry starts
3) myimage:142506638 with digest 3107... pushed to source acr and tagged with latest
4) az acr import to target registry completes
The az acr import in 4) completes without any errors, but from that time on the target registry is in a bad state.
Probably does not make a difference, but we're using a PullToken to connect to the source registry when transferring the image like
Errors
docker pull
on target acr fails with:az acr import
to copy the image from target acr to a different acr fails with:Issue script & Debug output
Captured debug output via
but afraid that it might contain sensitive information. Will provide if required.
Expected behavior
az acr import should leave the registry in a consistent state. it should either use the old or the new tag, and keep the corresponding manifest.
If the image associated with 'latest' changes while the command is running, it should either: 1) fail the az acr import command and not update anything 2) update the acr with the image that was associated with 'latest' when update started 3) update the acr with the new 'latest' image
Environment Summary
azure-cli 2.245.5
Additional context
No response