feat(retention): added image retention policies

[eusebiu-constantin-petu-dbk]

feat(metaDB): add more image statistics info

What type of PR is this?

Which issue does this PR fix:

What does this PR do / Why do we need it:

If an issue # is not available please add repro steps and logs showing the issue:

Testing done on this change:

Automation added to e2e:

Will this break upgrades or downgrades?

Does this PR introduce any user-facing change?:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[rchincha]

Also call this "feat(retention)"

[rchincha]

sync policies (are per-repo, regex, semver, etc) are a good fit here IMO. Thoughts?

[andaaron]

We are interested in both tags which would be retained and tags which would be removed, in case of dry run.
Can we show both? Are we showing both?

[codecov]

Codecov Report

Merging #1866 (782170b) into main (3e6053e) will increase coverage by 0.11%.
The diff coverage is 94.56%.

@@            Coverage Diff             @@
##             main    #1866      +/-   ##
==========================================
+ Coverage   89.87%   89.98%   +0.11%     
==========================================
  Files         158      164       +6     
  Lines       26978    27542     +564     
==========================================
+ Hits        24246    24785     +539     
- Misses       2012     2031      +19     
- Partials      720      726       +6     

Files	Coverage Δ
errors/errors.go	100.00% <ø> (ø)
pkg/api/config/config.go	97.72% <100.00%> (+0.37%)	⬆️
pkg/api/routes.go	94.50% <100.00%> (ø)
pkg/cli/server/validate_sync_enabled.go	100.00% <100.00%> (ø)
pkg/extensions/sync/local.go	91.28% <100.00%> (ø)
pkg/extensions/sync/references/cosign.go	97.03% <100.00%> (ø)
pkg/extensions/sync/references/oci.go	91.66% <100.00%> (ø)
pkg/extensions/sync/references/oras.go	85.83% <100.00%> (+0.11%)	⬆️
pkg/extensions/sync/references/referrers_tag.go	89.52% <100.00%> (ø)
pkg/log/log.go	85.18% <100.00%> (+0.56%)	⬆️
... and 18 more

... and 1 file with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[eusebiu-constantin-petu-dbk]

retains all tags, is true by default, and can not be used together with the other rules.

[eusebiu-constantin-petu-dbk]

tag is retained if any of these 4 rules is met.

because names are missing, then it will be applied for all tags in matched repos.
this will be applied for all repos that do not match the above policies (can be used like a default policy)

[eusebiu-constantin-petu-dbk]

any tag that doesn't match any tagRetention[].names will be removed!
if names rule is empty, then the rules below are applied for all tags.

[eusebiu-constantin-petu-dbk]

whether or not to delete manifests with missing subjects.

[rchincha]

So if you push an referrer but don't push the subject, then this policy kicks in.

[eusebiu-constantin-petu-dbk]

if they are older than retention.delay, yes

[eusebiu-constantin-petu-dbk]

whether or not delete manifests without tags.

[eusebiu-constantin-petu-dbk]

the policy applied on a repo is the first one in the list that matches
same for tagsRetention.

[rchincha]

Not longest prefix match?

[eusebiu-constantin-petu-dbk]

no, I raised that last week, can't remember why we didn't want that...

[andaaron]

Because it would be very tricky to get the configuration right as a user if the entries in the policy list can be in any order.
You would need to look at potentially hundreds such entries in any order to figure out which one would apply for the repo you are interested in.

If the first one matches you don't lose anything functionality-wise.
You can place your longest prefix match first, and your shorter prefix match afterwards and get the same result you would have gotten if we matched always on longest prefix.

[rchincha]

cc: @mbshields this needs documentation as well

[lictw]

Good interface, nice options for any case - great job, thanks! I will build and test it for sure, I need this!

I have one suggestion, I need it and I think it will be nice option too! I don't know how to name it exactly, let it be "dynamic tags":

Imagine tags like environment-{1,2,..}-* and I want to keep 2 latest for each environment (1, 2, etc), so I must write rules for each environment, but it's a dynamic thing, and there are many of them, I suggest to simplify it somehow.

So many groups of tags and single rule for each group, something like regex capture group (maybe named) I think the best solution cause our group value must be in any matched tag and we should extract&compare it for each tag, and it's also very "flat":

names: [(environment-\d+)-.*]

.., so for each matched tag we should compare $1 and interpret tags with same group as unique list/rule and do the things.

Maybe you imagine better interface, but I really think it's cool feature, and it will be very unique feature!

[lictw]

Update after first testing:

1. Please update main from upstream to pull changes about "delete repositories without manifests", now in your fork repositories are left after policies delete all tags.

2. Help me understand what is deleteReferrers, how it works? Also deleteUntagged about unfinished blobs, when it's uploaded, but not tagged (canceled push for ex.)?

3. I'm right that if some tags matched to rule, than only this rule defines who will be retained and this tags can't be now affected by rules below?

        {
          "repositories": ["**"],
          "deleteUntagged": true,
          "deleteReferrers": true,
          "keepTags": [{
            "patterns": ["main$"]
          },{
            "patterns": ["main"],
            "mostRecentlyPushedCount": 3
          },{
            "pushedWithin": "72h",
            "pulledWithin": "720h"
          }]
        }

For ex. here for tags like: main (meta-tag, always points to the last build of this branch), main.1, main.2, branch-foo (meta), branch-foo.13 I want:

1. main meta-tag always presented
2. 3 latest build from main branch not counting main meta-tag, cause it already matched by rule above
3. for builds from other branches and it will not affect any main builds cause all of them already matched by above rules

So the main point that this rules will not preserve main builds for 3 days how builds from other branches and will keep only 3 latest how it says, right? Then it's great implementation, thank you very much!

Also about above feature dynamic tags, in real world for complete retention I need something like this:

        {
          "repositories": ["**"],
          "deleteUntagged": true,
          "deleteReferrers": true,
          "keepTags": [{
            "patterns": ["main$"]
          },{
            "patterns": ["main\\..+"],
            "mostRecentlyPushedCount": 8
          },{
            "patterns": ["environments-[a-z]+$"]
          },{
            "patterns": ["(environments-[a-z]+)\\..+"],
            "mostRecentlyPushedCount": 1
          },{
            "pushedWithin": "72h",
            "pulledWithin": "720h"
          }]
        }

Everything like above, but also keep meta-tag for any environment and 1 latest build for each, and also, as for main, not match them by last rule (so not delay deletion for 72h).

In general, everything looks working, I use build of fork with retention for 2 days in my main zot installation, also seems that all works as I described in 3, and so as I said - it's great!

[lictw]

And also, I see there is a no difference between "patterns": ["main", "master"] and "patterns": ["(main|master)"], so it generates a single list to which the rule applies (pushedCount for example). I think it will be great if each pattern will generate personal list and when we write like "patterns": ["main", "master"] then we just want apply the single rule, but for each match, they are not the same, and my dynamic tags in this case will just automatic propagation of the patterns, when single "patterns": ["(environment-[a-z]+)\\..+"] will be processed (based on existing tags) as "patterns": ["(environment-foo\\..+", "(environment-bar\\..+", "(environment-baz\\..+"].

[eusebiu-constantin-petu-dbk]

Update after first testing:

1. Please update main from upstream to pull changes about "delete repositories without manifests", now in your fork repositories are left after policies delete all tags.
2. Help me understand what is deleteReferrers, how it works? Also deleteUntagged about unfinished blobs, when it's uploaded, but not tagged (canceled push for ex.)?
3. I'm right that if some tags matched to rule, than only this rule defines who will be retained and this tags can't be now affected by rules below?

        {
          "repositories": ["**"],
          "deleteUntagged": true,
          "deleteReferrers": true,
          "keepTags": [{
            "patterns": ["main$"]
          },{
            "patterns": ["main"],
            "mostRecentlyPushedCount": 3
          },{
            "pushedWithin": "72h",
            "pulledWithin": "720h"
          }]
        }

For ex. here for tags like: main (meta-tag, always points to the last build of this branch), main.1, main.2, branch-foo (meta), branch-foo.13 I want:

1. main meta-tag always presented
2. 3 latest build from main branch not counting main meta-tag, cause it already matched by rule above
3. for builds from other branches and it will not affect any main builds cause all of them already matched by above rules

So the main point that this rules will not preserve main builds for 3 days how builds from other branches and will keep only 3 latest how it says, right? Then it's great implementation, thank you very much!

Also about above feature dynamic tags, in real world for complete retention I need something like this:

        {
          "repositories": ["**"],
          "deleteUntagged": true,
          "deleteReferrers": true,
          "keepTags": [{
            "patterns": ["main$"]
          },{
            "patterns": ["main\\..+"],
            "mostRecentlyPushedCount": 8
          },{
            "patterns": ["environments-[a-z]+$"]
          },{
            "patterns": ["(environments-[a-z]+)\\..+"],
            "mostRecentlyPushedCount": 1
          },{
            "pushedWithin": "72h",
            "pulledWithin": "720h"
          }]
        }

Everything like above, but also keep meta-tag for any environment and 1 latest build for each, and also, as for main, not match them by last rule (so not delay deletion for 72h).

In general, everything looks working, I use build of fork with retention for 2 days in my main zot installation, also seems that all works as I described in 3, and so as I said - it's great!

Hello, and thanks for trying it!

1. done
2. deleteReferrers, will remove manifests for which their subject is missing.(was deleted, or was never uploaded)
3. deleteUntagged, will remove manifests without tags
4. yes, that's right, only the first tag policy is applied so your "main$" should be safe.

Imagine tags like environment-{1,2,..}-* and I want to keep 2 latest for each environment (1, 2, etc), so I must write rules for each environment, but it's a dynamic thing, and there are many of them, I suggest to simplify it somehow.

^here, I don't understand why you need rules per each environment, you want different rules for each one?

Let me think about the rest of the points, thanks for raising them.

[rchincha]

@peusebiu pls rebase

[lictw]

I don't understand why you need rules per each environment, you want different rules for each one?

The same, the same to keep last N, but N for each, 1 latest for env-A, 1 latest for env-B, not 1 for any. It seems to me that the best implementation that I have reached is described here.

deleteReferrers, will remove manifests for which their subject is missing.(was deleted, or was never uploaded)

PS what is subject?)

[rchincha]

deleteReferrers, will remove manifests for which their subject is missing.(was deleted, or was never uploaded)

PS what is subject?)

The OCI distribution spec is working towards allowing uploading of arbitrary content and add "soft links" to each other.
https://github.com/opencontainers/distribution-spec/blob/main/spec.md#enabling-the-referrers-api

[rchincha]

lgtm

[rchincha]

@lictw Thanks for all the feedback and testing.
This PR has been merged, so build from main and try.
We will take up further enhancements in future PRs.

[lictw]

@rchincha yep, nice job! Please ping me in future PRs to watch.

[lictw]

@peusebiu Hi! I'm back. I'm faced with a situation that I can't seem to solve with the current implementation. But a task seems so basic that I can't believe in it, so I decided to ask if I understand everything correctly.

I want to keep 3 latest tags, but only for some time, something like:

          "repositories": ["foo/**"],
          "keepTags": [{
            "mostRecentlyPushedCount": 3,
            "pushedWithin": "100h"
          }]

but there is OR logic, so above will keep latest 3 tags for forever. It's a DEV builds, I want to delete them fully after some time, but I also what to have only some latest builds if there is many, so it's the reason.

Also, I also have the latest tag, so I want to always keep the latest and 3 latest pushed tags, and delete all of them after some time.

And as side question about latest pulled, is it tracking for a specific tag or for whole image? If an image has 2 tags, but was pulled only by one, the second will be deleted?

[lictw]

@peusebiu up (@rchincha maybe?)

[andaaron]

@lictw

To answer your last paragraph, only the tags are deleted, the actual image/manifest is kept/deleted afterwards based on the separate setting you used for deleteUntagged. If the manifest is still referenced by at least one other remaining tag it should not be deleted.

I'm not sure there is a possibility to do an AND (intersection) between mostRecentlyPushedCount and pushedWithin. They were designed to independently apply for the same regex pattern identifying the tag strings. And I believe this constraint was because the patterns were meant to be unique, so there wouldn't be a possibility to have the same patterns value in multiple entries inside keepTags if you wanted to implement the OR (union).
I may be mistaking though. @peusebiu , @rchincha , what do you think?

[eusebiu-constantin-petu-dbk]

@andaaron you are right with your points.

Unfortunately what you want is not possible with current implementation :(.

the best you can do is:

"repositories": ["foo/**"],
"keepTags": [
    {
        "patterns": ["latest"]
    },
    {
    "mostRecentlyPushedCount": 4,
    }
]

if you want to always keep 'latest' and 3 more recent tags ^

"repositories": ["foo/**"],
"keepTags": [
    {
        "patterns": ["latest"]
    },
    {
    "pushedWithin": "100h"
    }
]

If you want to always keep latest + all recently pushed tags. ^

"repositories": ["foo/**"],
"keepTags": [
    {
        "patterns": ["latest"]
    },
    {
    "pushedWithin": "100h",
    },
    {
    "mostRecentlyPushedCount": 4
    }
]

If you want to always keep latest + most recently pushed tags (within 100h) and as a default case keep most recent 4 tags(latest may be included) if the tags are older than 100h. ^

[lictw]

@peusebiu why 4? Just to clarify that I understand how it equally works. Latest already done after first rule and should be excluded, is not it? So 3 from of the remaining.

After all, does my case is actual? Do you have any thoughts on feature improvements?