-2

It seems like ECR is broken - anyone else experiencing this?

Lifecycle policies just stopped working:

  • image layers are not in use
  • rules work when tested
  • I can delete manually

I noticed this due to increase in ECR costs.

Example policy not working:

{
  "action": {
    "type": "expire"
  },
  "selection": {
    "countType": "sinceImagePushed",
    "countUnit": "days",
    "countNumber": 2,
    "tagStatus": "tagged",
    "tagPrefixList": [
      "pr-",
      "frontend-pr-",
      "backend-pr-",
      "search-pr-",
      "cache-pr-"
    ]
  },
  "description": "purge PR builds",
  "rulePriority": 10
},

enter image description here

From the screenshot should be visible that I have images with given prefix older than 2 days, but they are still not being deleted.

lifeofguenter
  • 1,121
  • 1
  • 13
  • 22
  • 1
    Can you share the policy? – OARP Jun 11 '23 at 07:16
  • Without specific details of your ECR policy and without knowing the time you have waited for it to apply, there's really nothing anyone here can do to help you debug your issue. Your question seems to be more of a "what is the status of AWS ECR right now" question, which isn't appropriate for this site. If you think you've found a bug in ECR then you should report it to AWS instead of here. – Mark B Jun 11 '23 at 12:25
  • I updated with policy and image screenshot – lifeofguenter Jun 18 '23 at 11:47

1 Answers1

1

I would suggest to double check your rules because, for example, you're using tagPrefixList and this has a one small gotcha...

an image is successfully matched if ALL of the tags in the tagPrefixList value are matched against any of the image's tags

In other words, when working with tagPrefixList be aware of the following:

(...) if your images are tagged as prod, prod1, prod2, and so on, you would use the tag prefix prod to specify all of them. If you specify multiple tags, only the images with all specified tags are selected

Having said that, the tagPrefixList property in the policy only considers the prefix portion of the tag and does not account for any characters beyond the prefix. In your case, the policy should match tags like frontend-pr-65 because the prefix frontend-pr- is present, but it will not match tags with additional characters or numeric suffixes like frontend-pr-65-1.

So, you either need to expand the tag by adding, say, frontend-pr-65- or, ideally, use regex, but this is not supported yet. :(

Here's the corresponding issue: https://github.com/aws/containers-roadmap/issues/1213

Also, keep in mind that

If an image is referenced by a manifest list, it cannot be expired without the manifest list being deleted first

So, check that as well.

Finally, make sure that your fronted-pr images are not marked anywhere else, say in other rules with higher priority, because

Rules can never mark images that are marked by higher priority rules, but can still identify them as if they haven't been expired

If in doubt, please consult the logic of the lifecycle policy evaluator in more detail here.

baduker
  • 19,152
  • 9
  • 33
  • 56