force copying an image #1854
Comments
|
Thanks for reaching out. What do you mean by forcibly copy, and what are you actually trying to do? Is the goal to avoid layer reuse and to copy exactly the original layers? To somehow re-upload data that is corrupt on the destination? Something else? Note that at least with the reference registry implementation, re-upload does nothing to fix pre-preexisting corrupt data: https://github.com/distribution/distribution/blob/362910506bc213e9bfc3e3e8999e0cfc757d34ba/registry/storage/blobwriter.go#L310-L314 . |
|
We are copying images to AWS ECR. ECR has a feature where it will scan images for vulnerabilities when you push them. However, it also has a misfeature where once the image is old enough, the scan result expires. According to AWS, once this happens, the only way to get it to scan again is to re-push the image. But since |
|
And that keys off of an upload of every individual layer, separately? The config? In Skopeo, redundant layer and config uploads are avoided, but manifests are always re-uploaded (except by Historically not avoiding the layer and config uploads was not optional because the reuse behavior seems unspecified, but on a second look that lack of specification might not actually be an issue — we assume automatic reuse for blobs that are being compressed already. Does removing the blob info cache (see debug log for location) make a difference? |
|
Unfortunately, AWS does not specify that level of detail. They just say you have to re-push. 😕 Is the blob info cache on the client side? We are pushing from within an ephemeral container, so it would not have any state preserved between calls to I might have to resort to |
|
Yes, the blob info cache is client-side. It typically makes a difference when the push modifies data (e.g. when pushing a build output, and compressing it in the process); not when copying unmodified images around.
I’m open in principle to adding a tunable, but for that we need to understand what to tune. |
|
@mtrmac I've asked AWS Support if they can provide more details on what is specifically required. I'll let you know what they say. |
|
They say we need to re-push the "complete" image. I guess that means all the layers? Also, I noticed something odd. I just ran |
|
Compare the |
|
A friendly reminder that this issue had no activity for 30 days. |
|
@mtrmac What if I need to push same blob but with different image or tag? It refuses: |
|
@MrFoxPro How does that make a difference? The blob exists on the registry, which is the effect you need, isn’t it? If you want to push to a different tag, push to a different tag. This reuse just means that push is faster and uses less CPU, disk and network bandwidth. Or is this also related to the AWS scanning trigger? |
|
A friendly reminder that this issue had no activity for 30 days. |
|
@rittneje , Did you manage to find a solution for your problem? We are running into the same issue when trying to enable AWS Inspector Enhanced scanning on older images. |
|
Is it know what exactly needs to happen to trigger the AWS behavior? I don’t know whether we would want to solve this by adding an option to the transport / CLI, or by building a separate (simple, slow) “upload all blobs” tool — but the first step needs to be understanding what makes the difference. |
|
@MarienL1995 We used the AWS CLI to delete the image ( |
|
A friendly reminder that this issue had no activity for 30 days. |
From what we've observed,
skopeo copyis smart and won't actually copy anything if the same image already exists at the destination. While this is desirable 99% of the time, we currently have a need to forcibly copy over the image anyway. Is there any way to do this?The text was updated successfully, but these errors were encountered: