Add pull-from-mirror for adding per-mirror level restrictions #1411
Conversation
|
@mtrmac @vrothberg Could you review? |
QiWang19
changed the title
QiWang19
force-pushed
the
digest-set-for-mirror
branch
2 times, most recently
from
33e1e10
to
cd80244
Compare
|
@vrothberg @mtrmac PTAL |
|
@vrothberg PTAL. |
QiWang19
force-pushed
the
digest-set-for-mirror
branch
2 times, most recently
from
f23b1f1
to
d3363ea
Compare
|
@mtrmac PTAL |
|
@mtrmac Could you review? |
|
@mtrmac Could you review? |
I apologize for the late response.
This does work fine, and it’s perfectly sufficient for correctness.
OTOH it doesn’t implement openshift/enhancements#929 as currently proposed. That enhancement has a separate list of per-digest mirrors and per-tag mirrors, i.e. it is possible to have a tag-only mirror.
I can imagine, with absolutely no data, that some users might want to use “cheap” mirrors for digested references, and only use “more expensive”, better-secured, mirrors for tagged references. But even in that hypothetical case, I find it fairly hard to argue that they’d rather have a failed pull than use the “more expensive” mirror.
So, for c/image, I think this could well be sufficient — and users might set up the configuration so that digest-only mirrors are listed before the digest+tag mirrors, if they wanted to avoid use of a “costly” digest+tag mirror.
But it’s pretty surprising to introduce the OpenShift feature, and this underlying design for an implementation of the OpenShift feature, at the same time, but not have them do exactly the same thing. So either c/image should allow configuring tag-only mirrors, or the OpenShift CR should be changed so that the “tag” mirrors are documented to also be used for digested references.
It’s somewhat likely that there was an earlier conversation about this that I can’t remember/find; is there?
Except I can find #1407 (comment) , so it’s quite possible that the current inconsistent state of things is my fault. If that’s the case, I’m sorry.
docs/containers-registries.conf.5.md
Outdated
| Also note that if all mirrors in the `mirror` array have `digest-only = true`, images referenced by a tag will only use the primary | ||
| registry, failing if that registry is not accessible. |
There was a problem hiding this comment.
I don’t think we need the note about only using the primary twice; it’s a side point and not that important.
Maybe leave the note in the previous location (which is “outside” of the mirror-by-digest-only definition list entry anyway), and just write “if all mirrors are configured to be digest-only”, without mentioning a specific field name.
There was a problem hiding this comment.
The digest-only copy will, I assume be removed — then the only copy of this note should be a separate paragraph, not a part of the mirrors-by-digest-only paragraph.
| @@ -675,6 +675,72 @@ func TestPullSourcesFromReference(t *testing.T) { | |||
| assert.Equal(t, 1, len(pullSources)) | |||
| } | |||
|
|
|||
| func TestPullSourcesMirrorFromReference(t *testing.T) { | |||
| sys := &types.SystemContext{ | |||
There was a problem hiding this comment.
To make it easier for the future, could TestPullSourcesFromReference be modified to use the same table-driven format, and then these tests added to that function, without adding a new config file?
It’s a bit out of scope (especially with the testing for Location/Insecure), so I’m perfectly fine with doing that work myself later, in a separate PR.
There was a problem hiding this comment.
ok, I'd leave that to you.
Does the tag-only mirrors mean the registry reference without tag should be rejected in the case? The openshift/enhancements#929 proposed to allow using tags, not to limit the use to tag-only. |
|
By tag-only mirrors I mean mirrors that aren’t used for digested references. Digested references would only use digest-only mirrors (if any), not the tag-only mirrors, and the primary (non-mirror) location. The enhancement’s Given ISDP ( I don’t have a very strong opinion on whether to change this implementation or the OpenShift CR. |
The former one follows current implementation, like the testcase I think you mean the digest example, |
Yes, my mistake. Thanks. |
|
@mtrmac I fixed the reviews, PTAL. |
Thanks! The implementation LGTM, just some test and documentation nits.
I don’t think it would be reasonable to block this PR on the inconsistency with OpenShift plans, per #1411 (review) . But I do hope there’s some plan to address that.
I suppose another c/image PR that adds another per-mirror option can land later, or something.
| pullSource, err := registry.PullSourcesFromReference(digestedRef) | ||
| assert.Nil(t, err) | ||
| for i, s := range tc.digestSources { | ||
| assert.Equal(t, s, pullSource[i].Endpoint.Location) |
There was a problem hiding this comment.
Absolutely non-blocking: Testing pullSource[i].Reference would be more directly related to the end-user-wanted behavior.
But this works just fine, and I can clean that up later when unifying the two tests.
QiWang19
force-pushed
the
digest-set-for-mirror
branch
2 times, most recently
from
e73f234
to
71f0bfa
Compare
QiWang19
changed the title
|
@mtrmac @vrothberg PTAL |
QiWang19
force-pushed
the
digest-set-for-mirror
branch
3 times, most recently
from
84f966d
to
165cb39
Compare
|
@vrothberg @mtrmac PTAL. |
|
@mtrmac Could you review it? |
|
@vrothberg @mtrmac PTAL |
| switch mirror.PullFromMirror { | ||
| case MirrorByDigestOnly: | ||
| if !isDigested { | ||
| continue | ||
| } | ||
| endpoints = append(endpoints, mirror) | ||
| case MirrorByTagOnly: | ||
| if isDigested { | ||
| continue | ||
| } | ||
| endpoints = append(endpoints, mirror) | ||
| default: | ||
| endpoints = append(endpoints, mirror) | ||
| } |
There was a problem hiding this comment.
| switch mirror.PullFromMirror { | |
| case MirrorByDigestOnly: | |
| if !isDigested { | |
| continue | |
| } | |
| endpoints = append(endpoints, mirror) | |
| case MirrorByTagOnly: | |
| if isDigested { | |
| continue | |
| } | |
| endpoints = append(endpoints, mirror) | |
| default: | |
| endpoints = append(endpoints, mirror) | |
| } | |
| switch mirror.PullFromMirror { | |
| case MirrorByDigestOnly: | |
| if !isDigested { | |
| continue | |
| } | |
| case MirrorByTagOnly: | |
| if isDigested { | |
| continue | |
| } | |
| } | |
| endpoints = append(endpoints, mirror) |
Close: containers#1407 Add pull-from-mirror: all, digest-only, tag-only for adding per-mirror level restrictions to image pull through mirrors. The `mirror-by-digest-only` for primary is still allowed configuring, and it is honored for compatibility Signed-off-by: Qi Wang <qiwan@redhat.com>
|
@vrothberg @mtrmac PTAL. This is ready to get merged. |
|
@mtrmac @vrothberg can we have a new release for this feature? |
|
Sure, a new release sounds fine. @vrothberg WDYT? Is there any reason not to, or anything urgent we should finish first? |
|
Releasing now SGTM. Thanks for working on this, @QiWang19! |
|
#1514 filed to release v5.21.0. |
Close: #1407
Add pull-from-mirror: all, digest-only, tag-only for adding per-mirror level restrictions
The
mirror-by-digest-onlyfor primary is still allowed configuring,and it is honored for compatibility
Signed-off-by: Qi Wang qiwan@redhat.com