`nerdctl system prune -a` removes volumes in use too

Question

`nerdctl system prune -a` removes volumes in use too

amalthundiyil opened this issue a month ago · comments

Description

nerdctl removes an image from private registry on nerdctl system prune -a

root@machine:~# nerdctl ps
CONTAINER ID    IMAGE                             COMMAND                   CREATED         STATUS    PORTS                     NAMES
fe0ba1bdaf95    docker.io/library/registry:2.7    "/entrypoint.sh /etc…"    16 hours ago    Up        0.0.0.0:5000->5000/tcp    registry
root@machine:~# curl http://localhost:5000/v2/_catalog
{"repositories":["python"]}
root@machine:~# nerdctl system prune -af
root@machine:~# curl http://localhost:5000/v2/_catalog
{"repositories":[]}

Steps to reproduce the issue

nerdctl run -d -p 5000:5000 --restart=always --name registry registry:2.7
nerdctl pull registry.hub.docker.com/library/python:3.9
nerdctl image tag registry.hub.docker.com/library/python:3.9 localhost:5000/python:3.9
nerdctl push localhost:5000/python:3.9
nerdctl system prune -af
curl http://localhost:5000/v2/_catalog

Describe the results you received and expected

nerdctl shouldn't remove images from inside of a private container registry.

What version of nerdctl are you using?

1.7.6

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

Client:
 Namespace:     default
 Debug Mode:    false

Server:
 Server Version: v1.7.16
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Log: fluentd journald json-file syslog
  Storage: aufs native overlayfs
 Security Options:
  apparmor
  seccomp
   Profile: builtin
 Kernel Version: 5.4.0-88-generic
 Operating System: Ubuntu 20.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.109GiB
 Name: machine
 ID: 165e5604-e251-4d53-aeda-4ef52c811b35

Akihiro Suda commented 21 days ago

Thanks!

Apostasie · Answer 1 · Sat Jun 22 2024 09:16:00 GMT+0800 (China Standard Time)

@AkihiroSuda I ll take this one

Apostasie · Answer 2 · Tue Jul 02 2024 04:46:40 GMT+0800 (China Standard Time)

@AkihiroSuda the faulty part seems to be container prune.

Reading the code, I just do not get it.
Looks like we are not checking anywhere what the status of the container is BEFORE deleting anon volumes ~~and other state dir and resources~~. We list containers with client.Containers then call RemoveContainer on all of them. We start deleting resources. Then half way through, we stop (or not).
So, calling container prune leaves dangling (running) containers whose resources ~~and state~~ have been deleted.

To me, it seems ~~this command (container prune) (and possible~~ RemoveContainer ~~as well)~~ is just very broken.

Am I misreading this?

Apostasie · Answer 3 · Thu Jul 04 2024 01:42:07 GMT+0800 (China Standard Time)

Fixed.
@AkihiroSuda can you close this?