Open side-chains opened 1 month ago
@side-chains How is the retention policy setup? What is the retention period?
I have added separator lines for visual comfort
@FeynmanZhou A strong plus on adding such visual comfort to the HTTP trace logs.
@side-chains How is the retention policy setup? What is the retention period?
Click on the registry resource. On the left menu, under policies, there is an item named retention (preview). There you can only enable or disable the retention policy and, if it is enabled, you can choose the retention period in days.
I have tried with registries with retention periods of 5 and 7 days. The problem is the same in both cases.
Checked registry logs and it should be a bug in ACR's retention feature. @side-chains Since you already have an Azure subscription, you can file a service ticket referencing this GitHub issue and we will follow it up in the ticket for privacy purposes.
Checked registry logs and it should be a bug in ACR's retention feature. @side-chains Since you already have an Azure subscription, you can file a service ticket referencing this GitHub issue and we will follow it up in the ticket for privacy purposes.
@qweeah Does oras
use the same base code as notation
? Or, does it not interact with the registry in a similar way? If the bug is on azure's side, how does it explain that notation
can push and tag without getting the error?
As far as I know, notation
should generate artifact without tags.
As far as I know,
notation
should generate artifact without tags.
@qweeah Well, it creates a signature manifest, with the subject being the image that is being signed, and one or more layers with signatures. This one is, indeed, untagged.
However, it also creates an index manifest with a list of manifest
s pointing to all signature manifests corresponding to that image. This one is tagged as sha256-
followed by the sha256 of the image that is being signed.
Okay, in that case(referrers tag schema) ORAS and notation should use the same SDK, oras-go. Will check the implementation detail later. Back to your issue, I am pretty sure that errors are caused by ACR but cannot share server-side logs here for privacy consideration.
@side-chains I have confirmed that both Notation and ORAS push manifests in the same way. Your error is caused by a known issue in ACR retention policy feature(I cannot share server-side logs here but feel free to join our slack channel https://cloud-native.slack.com/archives/CJ1KHJM5Z to discuss). I would suggest you raise a ticket and get help from ACR supports directly.
@FeynmanZhou one more usecase IMHO remove -d
and linking - #911
What happened in your environment?
When trying to push a manifest with a tag to an azure registry with a retention policy,
oras
reports a500: Internal Server Error
. If I disable the retention policy on azure, I can push the tag successfully.Interestingly,
notation
is able to push its blobs and manifests to the same registry, even when the retention policy is enabled. This suggests that there is something that can be done on the client side to make it work.Notes:
oras tag
also produces a 500 error.The detailed output, with
-d -v
flags (I have added separator lines for visual comfort):What did you expect to happen?
A successful response when pushing the tag.
How can we reproduce it?
Setup an azure registry and enable a retention policy. Then run
What is the version of your ORAS CLI?
What is your OS environment?
ubuntu 22.04
Are you willing to submit PRs to fix it?