Closed diranged closed 4 years ago
You lucky @diranged , read this buddy ;) : https://github.com/SUSE/Portus/issues/2241#issuecomment-586653023
set PORTUS_DELETE_ENABLED=true
, and don't forget about issue templates :see_no_evil:
@Jean-Baptiste-Lasselle I am confused - we have PORTUS_DELETE_ENABLED=true
in the environment for both of our portus containers..
@Jean-Baptiste-Lasselle I am confused - we have
PORTUS_DELETE_ENABLED=true
in the environment for both of our portus containers..
@diranged true, my mistake,I thought it didn't appear in output of docker exec portus-background env
, just saw.
I believe the explanation might be the following,and I get that from this issue :
PORTUS_BACKGROUND_SYNC_STRATEGY=update-delete
, is not enough, even if in portusinfo
you have it enabled for background,maybe you also have to set those for both background
and portus
: # that's my docker-compose.yml
# do same in your config file for both background and portus foreground
# [...]
background:
environment:
# Sync config
- PORTUS_BACKGROUND_REGISTRY_ENABLED=true
- PORTUS_BACKGROUND_SYNC_ENABLED=true
- PORTUS_BACKGROUND_SYNC_STRATEGY=update-delete
# what if you set it only to`update` ? I'm curious you run the test and feddback what happens...
# - PORTUS_BACKGROUND_SYNC_STRATEGY=update
# [....]
background:
environment:
# Sync config
- PORTUS_BACKGROUND_REGISTRY_ENABLED=true
- PORTUS_BACKGROUND_SYNC_ENABLED=true
- PORTUS_BACKGROUND_SYNC_STRATEGY=update-delete
# what if you set it only to`update` ? I'm curious you run the test and feddback what happens...
# - PORTUS_BACKGROUND_SYNC_STRATEGY=update
While I am testing a few things right now.. I'll note that the background_sync_enabled setting is enabled by default - you can see that in the portus:info
output.
info
Hi @diranged thank you so much for your feedback about that too, I was indeed discussing on another issue we cross roads with, about the SYNC
feature being by default activated, or not; So it is, and what I said in that issue is even more true, i'll go back to that issue to give that to our colleague
indeed checked at http://port.us.org/docs/Configuring-Portus.html#background-process :
- The
sync
task can be disabled as well
It can be disabled, so it is enabled by default. Just to say here,the documentation is constantly dangling us like that, we have to guess-work...
aws s3 rm s3://XXX/prod_v2/docker/registry/v2/repositories/${REPO}/${NAME}/_manifests/revisions/sha256/${DIGEST}/link aws s3 rm --recursive s3://XXX/prod_v2/docker/registry/v2/${REPO}/_manifests/tags/${TAG_NAME}/
Hi @diranged , I today have one new, acurate question, to take one more step forward here :
registry
storageregistry
's Catalog API v2, do you still see all these 5000 images, or does the Catalog API confirms you those images are gone ?I'm asking because that's exactly what the SYNC does, (in the background) : it calls the Catalog API v2, and compares results to portus DATABASE. And then operates SYNC based on this comparison.
Also asking, because :
2020-02-03T16:44:32.561Z,docker-portus-background,[catalog] Could not fetch manifest for 'XXX/XXX' with tag 'phab-30677-92977':
2020-02-03T16:44:32.560Z,,[catalog] Could not fetch manifest for 'XXX/XXX' with tag 'phab-30677-92977':
2020-02-03T16:44:32.560Z,,"52.21.41.87 - - [03/Feb/2020:16:44:32 +0000] ""GET /v2/XXX/XXX/manifests/phab-30677-92977 HTTP/1.1"" 404 198 ""-"" ""Ruby"""
2020-02-03T16:44:32.560Z,,"172.18.0.5 - - [03/Feb/2020:16:44:32 +0000] ""GET /v2/XXX/XXX/manifests/phab-30677-92977 HTTP/1.0"" 404 198 """" ""Ruby"""
404
, I want to make sure who answers who, and what the answers mean exactlyJust in case the test is not too heavy to be done, I'll do the test at some time anyway. Maybe you already ran the test.
Never the less, your case is extremely important to my eyes. 5000 images.
And tojust copy paste
export YOUR_REGISTRY_NETNAME=registry.youprivateinfra.io
export PORTUS_TOKEN=deTcV_afbsqsds566d65565654dfseef5463a
# List all repositories (images) :
curl -i -H "Authorization: Bearer $PORTUS_TOKEN" https://${YOUR_REGISTRY_NETNAME}/v2/_catalog
# List all tags for a repository:
export SOME_REPOSITORY=ubuntu
curl -X GET -H "Authorization: Bearer $PORTUS_TOKEN" https://${YOUR_REGISTRY_NETNAME}/v2/${SOME_REPOSITORY}/tags/list
So ultimately we had to go another route - we had ~160k image tags we needed to purge, and it just was not seeming possible to do it in an automated and clean way. We created a new bucket, migrated the images we wanted into the new bucket, and then reconfigured portus. Once our underlying bucket was small again (80TB -> 1TB, ~160k tags -> ~1k tags), the automatic background sync process worked fine.
It's my guess that the process to do the background sync took so long and was all done in a single DB transaction that it ultimately failed and would just keep re-running over and over again. I have no evidence of this, but when I look at the code it strikes me as silly that most of the background jobs are entirely run in a single transaction. That doesn't scale well on larger implementations.
and would
Oh my gosh, thank you soooooo much for this feedback, @diranged it's like awesome !
I so totally understand about the transaction, and now so much idea to improve the situation with portus !
And yeah, makes so much sense what you thought of solutions , plus , I mean it'seither you hack on my personal computer or we almost are mind-synced .... I wrote that yesterday :
https://github.com/SUSE/Portus/issues/2241#issuecomment-592317456
Just yesterday, yeah, checkout date-times
I can't put it into words, yet, but there's something going on in this field...
@diranged And yeah, so your 404
was the transaction failing ... wasn't it ?
hi @diranged I have some news, wanted to share with you what I shared with @robgiovanardi
opensuse/portus:2.5
OCI container imagehi @diranged This time it's done, I have a solution to use, all details https://github.com/SUSE/Portus/issues/2241#issuecomment-593370789
:)
I will read any feedback from you with interest
hi @diranged , I have some news here I absolutely want to share with you :
background
the backgoround did call the regsitry to ask him to delete the imageregistry
, that the registry does get the request from background, and event accepts it, 202
. The HyperText Transfer Protocol (HTTP)
202 Accepted
response status code indicates that the request has been received but not yet acted upon.
jbl@pegasusio:~/.buildfromsrc.portus$ docker push oci-registry.pegasusio.io/pokus/ipfs-testground:0.0.2
The push refers to repository [oci-registry.pegasusio.io/pokus/ipfs-testground]
42477113dc05: Layer already exists
30b16eb7ac5e: Layer already exists
ce8168f12337: Layer already exists
0.0.2: digest: sha256:f18be685992e4e4a30bcea7d26a75e23e71fe0b38290af15cadf55b77ae724eb size: 953
jbl@pegasusio:~/.buildfromsrc.portus$ docker exec -it compose_registry_1 bash
OCI runtime exec failed: exec failed: container_linux.go:349: starting container process caused "exec: \"bash\": executable file not found in $PATH": unknown
jbl@pegasusio:~/.buildfromsrc.portus$ docker exec -it compose_registry_1 sh
/ # bin/registry garbage-collect /etc/docker/registry/config.yml
pokus/ipfs-testground
pokus/rocket.chat
0 blobs marked, 12 blobs and 0 manifests eligible for deletion
blob eligible for deletion: sha256:dc65f448a2e2f2ea557e69ed9ac65aa8ac0e16f1bce68f90de910b4d5a2f1ba1
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/dc/dc65f448a2e2f2ea557e69ed9ac65aa8ac0e16f1bce68f90de910b4d5a2f1ba1 go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
blob eligible for deletion: sha256:f18be685992e4e4a30bcea7d26a75e23e71fe0b38290af15cadf55b77ae724eb
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/f1/f18be685992e4e4a30bcea7d26a75e23e71fe0b38290af15cadf55b77ae724eb go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
blob eligible for deletion: sha256:3a705fad094c9483069d4036c01a0c49381cf5a855d675bb840061fbed10b71c
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/3a/3a705fad094c9483069d4036c01a0c49381cf5a855d675bb840061fbed10b71c go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
blob eligible for deletion: sha256:3c7454a13eb92a684220862a298cd4d970be862a4bf8671856e03e2fd3b21efe
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/3c/3c7454a13eb92a684220862a298cd4d970be862a4bf8671856e03e2fd3b21efe go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
blob eligible for deletion: sha256:4d412742cdb2a7107b586098588ce29082d0d5357bd43244a513cfd6f81cf67e
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/4d/4d412742cdb2a7107b586098588ce29082d0d5357bd43244a513cfd6f81cf67e go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
blob eligible for deletion: sha256:6c6d376e3536f6ab4064c5485bd2f563b4d090cfbb6e48ba7349373fbe3479c1
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/6c/6c6d376e3536f6ab4064c5485bd2f563b4d090cfbb6e48ba7349373fbe3479c1 go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
blob eligible for deletion: sha256:a6a4baaaf9d474e54882cd067bfa96e894d6e037a9d0e9efe3f4ef7c83c773e5
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/a6/a6a4baaaf9d474e54882cd067bfa96e894d6e037a9d0e9efe3f4ef7c83c773e5 go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
blob eligible for deletion: sha256:a8ae8a1bb8caea4adfc9e40f1873b018b04b858d6467be8ee7f9edf902ed02bc
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/a8/a8ae8a1bb8caea4adfc9e40f1873b018b04b858d6467be8ee7f9edf902ed02bc go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
blob eligible for deletion: sha256:0fdc1692cfe97373ceb9550adfd87071e4763c3e8221fa0784a891dbcb650b6e
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/0f/0fdc1692cfe97373ceb9550adfd87071e4763c3e8221fa0784a891dbcb650b6e go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
blob eligible for deletion: sha256:491c5bd642d1e04229bf41718ca391d820535c78544418d25b90f9ba836e5a3b
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/49/491c5bd642d1e04229bf41718ca391d820535c78544418d25b90f9ba836e5a3b go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
blob eligible for deletion: sha256:4d43c4a94fa978c4e4cd255436c2f47ede74aed95c0ecc5dd31d16727f91d09c
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/4d/4d43c4a94fa978c4e4cd255436c2f47ede74aed95c0ecc5dd31d16727f91d09c go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
blob eligible for deletion: sha256:66f50e765badb4dad6abd38d8a98e677090c59883ed086547d1a718d4a832e0a
INFO[0000] Deleting blob: /docker/registry/v2/blobs/sha256/66/66f50e765badb4dad6abd38d8a98e677090c59883ed086547d1a718d4a832e0a go.version=go1.11.2 instance.id=5672e9f1-5147-4ee3-818e-9adb652161f3
/ # exit
jbl@pegasusio:~/.buildfromsrc.portus$ docker push oci-registry.pegasusio.io/pokus/ipfs-testground:0.0.2
The push refers to repository [oci-registry.pegasusio.io/pokus/ipfs-testground]
42477113dc05: Pushed
30b16eb7ac5e: Pushed
ce8168f12337: Pushed
0.0.2: digest: sha256:f18be685992e4e4a30bcea7d26a75e23e71fe0b38290af15cadf55b77ae724eb size: 953
Last, but not least : This will not solve the issue you had with the portus background "because the delete list is so big that the whole process times out" .... Unless... Unlesss
Unless we can scale out backgound.
And this is why I am going, sooner than planned, to test and make portus scale in Kubernetes
. I prepared this for the purpose, If you want to try (early access, still a messy docuemntation , yet usable with a little patience) : https://github.com/pegasus-io/a-k8s-demo/releases/tag/0.0.4
So basically, this test that I carried out yesterday shows that even with portus working a 100 percent as designed, we still need to carry out the docker registry garbage collector.
This garbage collection thing is what you used with what you called "method 2", and :
registry
as well : there we will find a lot, on the internet, on how people load balance registry
404
, in your case, it is the SYNC. But both will experience the same behavior in case of large scale payload.curl -v -X DELETE http://registryhost:reigstryport/v2/${docker_image_name}/manifests/${digest}
portus
should never, ever explictly trigger the registry's garbage collection. Because then, registry garbage collection can be completely freely tuned. And that is very important for any garbage collection. Ask any Java Architect who knows how to tune GC, or ask Gil Tene, from Azul. I also have a feeling therefore portus and registry probabloy need to be deployed with two distinct K8s StatefulSets.This is extremely interesting.
I want to again thank you for point out the missing commit from master
related to keep_latest
on @robgiovanardi 's issue, it is one of the things that gave me courage to crack it all up
So merry Easter
Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Description
We recently upgraded to Portus 2.4.3 w/ Docker Registry 2.7.1. We have ~100k in old image tags we need to purge and we've discovered that due to how the Registry process handles DELETE calls, its wildly inefficient to delete the images that way.
Instead, we want to follow "method 2" in https://medium.com/better-programming/cleanup-your-docker-registry-ef0527673e3a. So we ran a test.
We manually deleted ~5000 old image tags matching the name
phab-XXXX-XXXXX
from our S3 bucket and then let the portus background process try to do its thing. Unfortunately it seems that the process is discovering that the tag is gone, but is not making any calls back to Portus to delete them from the DB:Steps to reproduce
update-delete
.Deployment information
Deployment method: We're using the Docker Compose example - but managing it with Puppet. Overall its a
portus
,portus-background
,registry
andredis
container on a single host with annginx
container acting as a reverse proxy.Configuration:
You can get this information like this:
Here is the portusinfo:
Here is the env: