mildmojo
commented
1 month ago I can reproduce this bug manually. Basic reproduction steps with awscli:
# Find an image, copy the digest
aws ecr list-images --repository-name $REPO
# Get image details by digest, record lastRecordedPullTime
aws ecr describe-images --repository-name $REPO --image-ids imageDigest=$DIGEST
# Call batch-get-image on the image
aws ecr batch-get-image --repository-name $REPO --image-ids imageDigest=$DIGEST
# Get image details again, verify lastRecordedPullTime was improperly updated
aws ecr describe-images --repository-name $REPO --image-ids imageDigest=$DIGESTI have codebases with dev and test environments that are pinned to older ECR images for some of their dependencies. Since any of the present-day ECR lifecycle policies always delete these old, still-used images, I planned to use lastRecordedPullTime to build my own cleanup task instead. However, my ecosystem has other daily/hourly background tasks outside my control that monitor images in these repos, so they constantly update lastRecordedPullTime on thousands of unused, never-pulled images.
This is a blocker for automated cleanup in my ECR repos.
Related:
lastRecordedPullTimerequested and added in: #1182- Pending request for new ECR lifecycle policy based on last pull time in: #921
Tell us about your request Do not update lastRecordedPullTime on batch-get-image API call.
Which service(s) is this request for? ECR
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? ECR introduced the concept of image indexes. When I want to find all artifacts that belong to an image index, I have to call
batch-get-imageto get theimageManifestproperty, which contains information about all related artifacts in JSON format.When I call the
batch-get-imageendpoint, thelastRecordedPullTimeof my image is updated.Are you currently working around this issue? I removed support for
lastRecordedPullTimefrom my tooling since it can't be trusted (since I bump it myself via my tool).