Check base images using mirror registry instead of public DockerHub#2119
Draft
lbussell wants to merge 5 commits into
Draft
Check base images using mirror registry instead of public DockerHub#2119lbussell wants to merge 5 commits into
lbussell wants to merge 5 commits into
Conversation
copyBaseImages already imports every base image into the internal
staging ACR ('mirror/' prefix) immediately before getStaleImages runs,
but getStaleImages was still resolving FROM tags against docker.io.
That path is unreachable from the internal 1ES pool, so the command
hangs for 30s on each Docker Hub base image and the job fails.
Rewrite any non-MCR / non-*.azurecr.io FROM reference to the staging
mirror via --base-override-regex/--base-override-sub. The job already
authenticates to InternalMirrorRegistry via reference-service-connections,
so no credential changes are needed. Also drops the buildtools-only
override (which never matched the actual library/<distro> FROM lines).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The previous --base-override-regex/sub approach rewrote external FROM tags to point at the staging mirror, but the rewritten repo prefix also leaked into the digest comparison string. image-info.json stores the digest against the canonical (public) repo, so every rewritten image compared unequal and was reported stale on every run. Switch getStaleImages to the same mechanism the build/matrix flow already uses: - Add --registry-override and --source-repo-prefix options (mirroring what ManifestOptions exposes and what copyBaseImages consumes). - Construct ImageNameResolverForMatrix per subscription manifest. GetFromImagePullTag returns the staging mirror location for fetching the digest; GetFromImagePublicTag returns the canonical reference used to build the digest comparison string. The pipeline yml now passes --registry-override / --source-repo-prefix in place of the regex pair, matching how the copyBaseImages step in the same job is invoked. --base-override-regex/sub remains supported for genuine one-off overrides. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Two different FROM spellings can normalize to the same pull tag (e.g. 'almalinux:8' and 'library/almalinux:8' both pull from '<staging>/mirror/library/almalinux:8') but produce different public tags. The previous code cached the full '<repo>@<sha>' comparison string by pull tag, which meant the second lookup could reuse the first FROM's public repo prefix and falsely mark the image as stale. Cache only the raw SHA so the comparison string is always built from the current platform's own public tag. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR responds to new network isolation requirements that broke the check base images pipeline. Outbound connections to dockerhub are blocked internally.
Previously the pipeline worked like this:
Obviously, comparing base image digests from DockerHub is a problem if the network blocks the connection.
This PR updates the
getStaleImagescommand to use the mirrored images that we had already just copied anyways. For simplicity/consistency's sake, I also updatedgetStaleImagesto use the exact same mirror/override arguments ascopyBaseImages, that way we know we're referencing the images the exact same way.