qweeah
commented
1 month ago @side-chains How is the retention policy setup? What is the retention period?
Open side-chains opened 1 month ago
qweeah
commented
1 month ago @side-chains How is the retention policy setup? What is the retention period?
qweeah
commented
1 month ago I have added separator lines for visual comfort
@FeynmanZhou A strong plus on adding such visual comfort to the HTTP trace logs.
side-chains
commented
1 month ago @side-chains How is the retention policy setup? What is the retention period?
Click on the registry resource. On the left menu, under policies, there is an item named retention (preview). There you can only enable or disable the retention policy and, if it is enabled, you can choose the retention period in days.
I have tried with registries with retention periods of 5 and 7 days. The problem is the same in both cases.
qweeah
commented
1 month ago Checked registry logs and it should be a bug in ACR's retention feature. @side-chains Since you already have an Azure subscription, you can file a service ticket referencing this GitHub issue and we will follow it up in the ticket for privacy purposes.
side-chains
commented
1 month ago Checked registry logs and it should be a bug in ACR's retention feature. @side-chains Since you already have an Azure subscription, you can file a service ticket referencing this GitHub issue and we will follow it up in the ticket for privacy purposes.
@qweeah Does oras use the same base code as notation? Or, does it not interact with the registry in a similar way? If the bug is on azure's side, how does it explain that notation can push and tag without getting the error?
qweeah
commented
1 month ago As far as I know, notation should generate artifact without tags.
side-chains
commented
1 month ago As far as I know,
notationshould generate artifact without tags.
@qweeah Well, it creates a signature manifest, with the subject being the image that is being signed, and one or more layers with signatures. This one is, indeed, untagged.
However, it also creates an index manifest with a list of manifests pointing to all signature manifests corresponding to that image. This one is tagged as sha256- followed by the sha256 of the image that is being signed.
qweeah
commented
1 month ago Okay, in that case(referrers tag schema) ORAS and notation should use the same SDK, oras-go. Will check the implementation detail later. Back to your issue, I am pretty sure that errors are caused by ACR but cannot share server-side logs here for privacy consideration.
qweeah
commented
1 month ago @side-chains I have confirmed that both Notation and ORAS push manifests in the same way. Your error is caused by a known issue in ACR retention policy feature(I cannot share server-side logs here but feel free to join our slack channel https://cloud-native.slack.com/archives/CJ1KHJM5Z to discuss). I would suggest you raise a ticket and get help from ACR supports directly.
sajayantony
commented
3 weeks ago @FeynmanZhou one more usecase IMHO remove -d and linking - #911
What happened in your environment?
When trying to push a manifest with a tag to an azure registry with a retention policy,
orasreports a500: Internal Server Error. If I disable the retention policy on azure, I can push the tag successfully.Interestingly,
notationis able to push its blobs and manifests to the same registry, even when the retention policy is enabled. This suggests that there is something that can be done on the client side to make it work.Notes:
oras tagalso produces a 500 error.The detailed output, with
-d -vflags (I have added separator lines for visual comfort):What did you expect to happen?
A successful response when pushing the tag.
How can we reproduce it?
Setup an azure registry and enable a retention policy. Then run
What is the version of your ORAS CLI?
What is your OS environment?
ubuntu 22.04
Are you willing to submit PRs to fix it?