Add KeepLatestNDockerImagesAllVersions rule (fix #183)#184
Open
sdn2s wants to merge 1 commit into
Open
Conversation
All rules in a policy share a single AQL `find` combined with `$and`, so a `Keep*` rule only sees the artifacts left after a filtering `Delete*` rule. As a result `KeepLatestNDockerImages` cannot protect the truly latest N versions when the policy also contains e.g. `DeleteDockerImagesNotUsed`, and the common "delete unused, but always keep the latest N" intent is not expressible in a single policy. This adds `KeepLatestNDockerImagesAllVersions`, which computes the latest N digests over all manifests via its own AQL query, independently of the other rules. Existing rules are untouched. Includes a test and README docs. Fixes devopshq#183
sdn2s
force-pushed
the
keep-latest-n-all-versions
branch
from
b9d9b58 to
0bb0881
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a new Docker keep rule
KeepLatestNDockerImagesAllVersionsthat protects the latest N image digests computed over all tags in the repository, independently of the other rules in the policy.Fixes #183.
Why
All rules in a policy contribute to a single AQL
findcombined with$and(CleanupPolicy._get_aql_find_filters), andKeep*rules run their in-memoryfilter()on the already-narrowed result set. So when a policy mixes a filteringDelete*rule (e.g.DeleteDockerImagesNotUsed) withKeepLatestNDockerImages, the keep rule only sees the artifacts that survived the delete filter and therefore cannot protect the truly latest N versions.Consequence: the very common retention intent — "delete images not used for N days, but always keep the latest M versions" — is not expressible in a single policy, and on many datasets the policy deletes nothing (see #183 for the detailed analysis).
How
KeepLatestNDockerImagesAllVersions:items.find(...).include("*")), independently of the policy's delete filter;updated(same semantics asKeepLatestNDockerImages);Usage: