ECR lifecycle policy exception

Question

In our ECR, we are pushing many images everyday with tag 16_XXXX. Some of the pushed images are not stable version of the application. When there is a stable version, we are retagging the image with tag 16.XXXX.

We have set up a lifecycle policy to clean up images with 16_XXXX tag at imageCountMoreThan (500). Since there are images with two tags (i.e. stable version) (e.g. 16_0715 and 16.0715), will they be cleaned up too?

We don't want to delete all the stable versions of images. Is there a way to retag the image and remove the old tag just to except it in ECR lifecycle policy?

Thanks!

score 34 · Answer 1 · edited May 04 '20 at 15:27

34

If you only have one rule, it will indeed delete your Stable images.

However, you can accomplish this with 2 rules in a policy. A rule at priority 10 will keep your Stable images (16.XXXX) safe, and a rule at priority 20 will 'see' the number of tags with your Unstable versions (16_XXXX) but will be unable to ever delete a Stable image because it is at a higher priority. Here's an example:

{
    "rules": [
        {
            "rulePriority": 10,
            "description": "Keep Stable Images",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["16."],
                "countType": "imageCountMoreThan",
                "countNumber": 9999
            },
            "action": {
                "type": "expire"
            }
        },
        {
            "rulePriority": 20,
            "description": "Delete Old Unstable Images",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["16_"],
                "countType": "imageCountMoreThan",
                "countNumber": 500
            },
            "action": {
                "type": "expire"
            }
        }
    ]
}

Source: I wrote the rule evaluation logic for Lifecycle Policies :) You can also check the docs, at the bottom of this page describes some facts about the system that users can take advantage of: https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html

An image that matches the tagging requirements of a rule cannot be expired by a rule with a lower priority.

edited May 04 '20 at 15:27

MaratC

6,418
2
20
27

answered Jul 17 '18 at 23:14

VolatileRig

2,727
6
32
44

1

Thank you so much! Will implement this on our current setup and see the outcome :) I actually read all those bullet points on the bottom of the linked page but failed to evaluate the strategy that can be used with that rule. Your suggestion seems to satisfy that rule. Thanks! – Ronnieeeone Jul 19 '18 at 12:40
That's a good point, I'll see if I can talk to our doc writer and get some more useful situations and examples added :D – VolatileRig Jul 19 '18 at 17:46
1

Nice to get an answer from the author of the feature :) – Asfand Qazi Aug 08 '19 at 08:28
2

@VolatileRig Just curious why the rule doesn't allow tag prefixes that we want to exclude? For example we want to tag only stable images with certain prefix like stable and leave the rest with other general tags like buildnumber and git hashes which will be associated with all the images. Wouldn't be nice just to specify the exclusion image tag to expire everything except the images with stable tags? – Vikas Oct 31 '20 at 01:00
2

I should say that I no longer work for AWS, but I can speak briefly on why it was designed like this. We took inspiration from S3's lifecycle policy evaluation, and had to keep a careful eye on the API design so that it remains simple and understandable. With a field that worked on deleting everything BUT the specified exclusions, we ran the risk of users accidentally making a policy that would delete every new image they uploaded unless it matched the exclusion pattern, which we thought would be more destructive and confusing in the long run. – VolatileRig Nov 02 '20 at 19:29
1

Well I still found it counterintuitive, I think it would be definitely easier to use regexp to match the tags, using prefixes really limits your possibilities and makes you deal with this weird rules. – Ivan Garcia May 11 '21 at 18:44
1

***Note:*** If you're looking to do this for multiple tags, each must be in its own rule - you can't include all in a single rule – John Feb 05 '22 at 14:47
2

With respect: The rules are weak and the semantics confusing. We expect ECR to behave like an OCI registry, not S3. Throwing away commit/branch tags and keeping version tags requires unorthodox tagging strategies (need distinct prefixes) and lots of rules that _stil_ don't express intent (no action 'keep', only 'expire in the _far_ future'). – Raphael Nov 14 '22 at 10:30

ECR lifecycle policy exception

1 Answers1