New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
optimize: avoid redundant blob fetching #3569
optimize: avoid redundant blob fetching #3569
Conversation
bc95d2c
to
c182ba3
Compare
Codecov Report
@@ Coverage Diff @@
## main #3569 +/- ##
==========================================
- Coverage 56.34% 56.32% -0.02%
==========================================
Files 101 101
Lines 7314 7309 -5
==========================================
- Hits 4121 4117 -4
+ Misses 2536 2535 -1
Partials 657 657
Continue to review full report at Codecov.
|
c182ba3
to
9a3e52a
Compare
We should address the CodeQL issues despite their not being directly related to this PR. |
So let't disable the configuration for insecure cipher suites? |
76d1e1d
to
c74bde3
Compare
registry/registry.go
Outdated
|
||
/* The following cipher suites are insecure, so we disable those options. | ||
TLS_RSA_WITH_RC4_128_SHA. | ||
TLS_RSA_WITH_AES_128_CBC_SHA256. | ||
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA. | ||
TLS_ECDHE_RSA_WITH_RC4_128_SHA. | ||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. | ||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's better to move this commit to a separate pull request, otherwise the security change might get overlooked (burried together with unrelated changes).
I'd also just remove the commented code (as it has no real purpose), and instead putting this information in the commit message, e.g.
This commit removes the following cipher suites that are known to be insecure:
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
That said, perhaps we should follow the recommendation that's posted in CI (if that works):
The following example shows how to create a safer TLS configuration:
package main import "crypto/tls" func saferTLSConfig() { config := &tls.Config{} config.MinVersion = tls.VersionTLS12 config.MaxVersion = tls.VersionTLS13 // OR config.MaxVersion = 0 // GOOD: Setting MaxVersion to 0 means that the highest version available in the package will be used. }
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it!
37c80e1
to
5627378
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This look ok to me. I only have nits around naming vars.
5627378
to
b4de305
Compare
registry/proxy/proxyblobstore.go
Outdated
mu.Unlock() | ||
}() | ||
|
||
desc, err := pbs.remoteStore.Stat(ctx, dgst) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please move the Stat to line 114, just before Create(), to avoid unnecessy load for failure case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and please wrapper an method for the code block.
All the code should be in the same level,
func {
method()
method()
details....
}
== >
func {
method()
method()
method()
}
I am not quite sure about the original idea to use go rountine to async calls the storeLocal(). But this PR changes it to sync mode, if I understand correctly. Is it expceted? cc @milosgajdos |
registry/proxy/proxyblobstore.go
Outdated
return err | ||
} | ||
|
||
remoteReader, err := pbs.remoteStore.Open(ctx, dgst) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pbs.scheduler.AddBlob(blobRef, repositoryTTL)
is removed for this PR, it's right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I forgot this part.
f0b3cd6
to
abfc675
Compare
Any progress on this optimization? It appears to be a valuable approach for eliminating redundant blob requests to the registry. |
This needs a rebase @justadogistaken |
I will rebase it later. |
abfc675
to
808f435
Compare
@thaJeztah @wy65701436 Please help review this work. |
If a copy is already in flight, does it just fall back to streaming directly from the remote store to the client? If that is the case, a comment might be good there. Just trying to get my head around the logic before adding a LGTM. |
808f435
to
b99307c
Compare
Yes, it will fall back to streaming directly from remote store. Which is what it used to be. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd appreciate a comment in ServeBlob explaining that if there is already a copy in flight that the current thread will just proxy straight from the remote to the client, I assume because there's no sensible way to join in with the tee.
But that's not blocking and overall, very sensible change, lgtm.
Signed-off-by: baojiangnan <baojn1998@163.com>
b99307c
to
1795292
Compare
Thank you. And the comments are added. |
I read through the code of proxyBlobStore. I found that the logic of ServeBlob could be optimized. We don't need to request twice for the same blob when caching it.