Warning: Critical bug in Docker - Delete unused manifests and images scheduled task

1,894 views
Skip to first unread message

Michael Prescott

unread,
Jul 6, 2021, 4:25:27 PM7/6/21
to Nexus Users

Warning

A bug in Nexus Repository 3.30.0 to 3.31.1 can cause loss of some Docker data when running the Delete unused manifests and images scheduled task. We recommend disabling this task immediately to avoid data loss.

How to determine if you are affected

A Nexus Repository OSS or Pro installation is potentially affected if it meets the following criteria:

  • It is version 3.30.0 to 3.31.1

  • The Docker - Delete unused manifests and images scheduled task is enabled

What data can be affected?

The Delete unused manifests and images task deletes layers and SHA manifests that are not reachable from tag manifests (e.g., “latest”) from hosted Docker repositories.

Nexus Repository 3.30.0 introduced a logic error that caused it to disregard recently published and updated tags when determining if layers and SHA manifests count as used. This can cause Nexus Repository to incorrectly remove those images’ layers and the associated SHA manifest.

Recently published or updated images are the most susceptible to data loss. For more information, please see NEXUS-28247.

How to Disable This Task

Log in to your Nexus Repository administrator console. Select System Tasks in the left navigation and browse the list of configured scheduled tasks.

Select any instances of Docker - Delete unused manifests and images and uncheck the Task enabled flag.

Mariska

unread,
Jul 7, 2021, 1:54:52 AM7/7/21
to Nexus Users, mpre...@sonatype.com
Thanks for the notification. Do I understand correctly, that this will only happen if for example: "latest" is referring to an image version that already has been deleted?

Regards,
Mariska.

Michael Prescott

unread,
Jul 7, 2021, 9:09:36 AM7/7/21
to Mariska, Nexus Users
It's not quite like that - the bug is that recently published (or updated) tags are ignored when determining reachability. This means that if you update 'latest' to point to something new, the layers associated with that image can potentially be removed if no other (older) tag points to them.

This is most likely to affect newly published images in a hosted repository, things less than 24 hours, because both the 'latest' tag and any version tag they have will be new.
--
Sonatype
Michael Prescott
Director, Product Management

Reply all
Reply to author
Forward
0 new messages