Bug 1880068

Summary: image pruner is not aware of image policy annotation, StatefulSets, etc.
Product: OpenShift Container Platform Reporter: Oleg Bulatov <obulatov>
Component: ImageStreamsAssignee: Ricardo Maraschini <rmarasch>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: high Docs Contact:
Priority: medium    
Version: 4.4CC: alchan, aos-bugs, jokerman, wzheng
Target Milestone: ---Keywords: UpcomingSprint
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Image pruner was not taking into account a series of objects when gathering its list of images in use. Consequence: Some images might be wrongly pruned due to this. Fix: Made pruner to consider objects of type StatefulSets, Jobs and CronJobs when gathering images in use. Result: Problem fixed and now images in use by these objects are not pruned anymore.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:18:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Oleg Bulatov 2020-09-17 15:41:38 UTC 
Description of problem:

The image pruner is not aware of StatefulSets, Jobs, CronJobs, etc.
Also it's not aware of the annotation alpha.image.policy.openshift.io/resolve-names

Version-Release number of selected component (if applicable):

4.x

How reproducible:

Always

Steps to Reproduce:
1. create an image stream with an image A
2. create a statefulset from the image stream (it should use the image A)
3. scale it down to 0 replicas
4. push 3 new images to the same image stream
5. run the pruner with default options (keep-tag-revisions=3)

Actual results:

the image A is deleted from the image stream

Expected results:

the image A is kept because it's used by the statefulset

Additional info:
Comment 6 XiuJuan Wang 2021-01-18 10:23:45 UTC 
Client Version: 4.7.0-0.nightly-2021-01-17-153039
steps:
1. create an image stream with an image A
2. create a statefulset|jobs|cronjobs from the image stream (it should use the image A)
3. scale it down to 0 replicas
4. push 3 new images to the same image stream
5. run the pruner with default options(--keep-tag-revisions=3) and --keep-younger-than=0m(since the default --keep-younger-than is 60m, and my imagestream is younger than 1h)
$oc adm prune images  --keep-tag-revisions=3  --registry-url=default-route-openshift-image-registry.apps.qe-ui47-0118.qe.devcluster.openshift.com  --loglevel=8  --keep-younger-than=0m

Could see the log, only revision 4 of the imagestream is pruned.

I0118 18:14:26.759804   27802 prune.go:906] imagestream xiuwang/statefulset: tag latest: revision 1: keeping sha256:3f205876e1e6d05d693c8fc94e7abf7137f20767c66c636431774f1ea37094d6 because tag is used by statefulset/hello-statefulset namespace=xiuwang
I0118 18:14:26.759808   27802 prune.go:978] Examining ImageStream openshift/jboss-fuse70-karaf-openshift
I0118 18:14:26.759812   27802 prune.go:931] imagestream xiuwang/statefulset: tag latest: revision 2: keeping sha256:2e83b9e07e85960060096b6aff7ee202a5f52e0e18447641b080b1f3879e0901 because of --keep-tag-revisions
I0118 18:14:26.759822   27802 prune.go:931] imagestream xiuwang/statefulset: tag latest: revision 3: keeping sha256:35e6ada1215bb168d6d9aff01001438a3c35c4fcb64680be3b7f23a5f2257863 because of --keep-tag-revisions
I0118 18:14:26.759822   27802 prune.go:931] imagestream openshift/fuse7-karaf-openshift: tag 1.0: revision 1: keeping sha256:be51ee43b1596078a17756f38a0017e9338c902f9094f1ad677844d165a02d43 because of --keep-tag-revisions
I0118 18:14:26.759829   27802 prune.go:948] imagestream xiuwang/statefulset: tag latest: revision 4: deleting repository links for sha256:04b6af86b03c1836211be2589db870dba09b7811c197c47c07fbbe33c7f80ef7...
I0118 18:14:26.759834   27802 prune.go:931]

Deleting layer link sha256:74f0853ba93b37c8152648905c48965c774d5a7d2de1967aef86ef0144561f62 in repository xiuwang/statefulset
I0118 18:14:26.759841   27802 prune.go:931] imagestream openshift/fuse7-karaf-openshift: tag 1.2: revision 1: keeping sha256:13577236b039ed11e9f1070f884e9836e731944575de2ee59b290b05e08ad5f8 because of --keep-tag-revisions
Deleting layer link sha256:3f4301e72ea16f463e696c5d9227f847a9444379a0e7bae5272eceb2dff7837f in repository xiuwang/statefulset
Deleting layer link sha256:28a27ae98fb5e643ac6930366a1e2d64dfcad31f3884c7c91afdeebbb16b494c in repository xiuwang/statefulset
Deleting layer link sha256:75d355fecbea4301f4c9e3efeda0af23f14ea4947b0579300572f1c82599de5f in repository xiuwang/statefulset
Comment 9 errata-xmlrpc 2021-02-24 15:18:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633