search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
23.37k stars 4.69k forks source link

Proxy-cache image deletion still served by SHA #20079

Open Hapshanko opened 5 months ago

Hapshanko commented 5 months ago

Hello team, Does a harbor proxy-cache project delete an image only by TAG when deleted in the target repository?

I read in the documentation that If the image is no longer in the target registry, no image is served. but was not sure if this is exactly what it means.

Asking this to clarify because, when the image is deleted I seem to notice pulling it by a TAG (from the proxy-cache) indeed does not work anymore, but if I pull the same image by SHA, it still works.. so it seems to me as its not fully deleted?

Would like to know more about this process!

Another unexpected behavior on my client: For some reason after the image is deleted from the target repository and proxy-cache no longer serves it by TAG, my machine that still HAS the image locally, upon a docker pull by TAG still tried to pull it from the proxy-cache(which results in a not found error) instead of using the image locally! Which it has! Any idea how this could happen? It really impacted our production stability, and goes against what I knew about images.

stonezdj commented 5 months ago

could you please check the proxy.log when it is pulling image from proxy cache project? the first request could be a HEAD request to the proxy-cache with tag, when the client knows the digest of the tag, then the second request is a GET request to the proxy-cache with digest.

MinerYang commented 5 months ago

Could you describe what is delete an image only by TAG?

Hapshanko commented 5 months ago

Could you describe what is delete an image only by TAG?

What I mean is exactly the behavior I explained next, I noticed that when an image is deleted in the target repository, the proxy cache no longer serves that image specifically by TAG, but if I try to pull it by SHA it still serves it, hence I am trying to understand what goes on in the background.

Hapshanko commented 5 months ago

could you please check the proxy.log when it is pulling image from proxy cache project? the first request could be a HEAD request to the proxy-cache with tag, when the client knows the digest of the tag, then the second request is a GET request to the proxy-cache with digest.

Where is this file located? We are deploying harbor on k8s.

The only log we saw in the stdout of the container was a warning log for when an image is not found when pulled by TAG that doesnt exist/was deleted from target repository

Hapshanko commented 4 months ago

Any updates?

github-actions[bot] commented 2 months ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

MinerYang commented 2 months ago

cc @stonezdj

github-actions[bot] commented 1 week ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.