This repository has been archived by the owner. It is now read-only.

Optional cf support #389

Merged
merged 4 commits into from May 27, 2014

Conversation

Projects
None yet
2 participants
@dmp42
Member

dmp42 commented May 26, 2014

This implements our earlier Cloudfront discussion.

I wrote this to be as simple as possible - although the impact is important.

Things to understand:

  1. to be active, this uses the following (undocumented) configuration:
    storage_redirect: true
    cloudfront:
        base: 'http://XXXXX.cloudfront.net'
        keyid: 'XXXX'
        keysecret: 'somefile.pem'

The keysecret is a keypair generated by the AMZ admin. The keyid is not the same as the S3 keyid. The base is the public domain name that hosts the cloudfront content (beware: we must use cloudfront names for now).

I don't think there is a point in documenting this feature for the current release.

  1. If only storage_redirect is true and there is no cloudfront key, S3 redirect signing will be used instead.
  2. when active, this redirects all image layers (both private and public) to a cloudfront signed url
  3. the given signed url is valid for 60 seconds
  4. once the delay has expired, that url is 403
  5. we don't keep signed urls - each time we are requested, we generate a new signed url
  6. cloudfront share the cache between signed urls. Which means the same resource signed twice will be hot the second time
  7. from a security standpoint, we need to think about the best / proper ttl for the signature (60 seconds might be too much)

@shin- @samalba

dmp42 added some commits May 26, 2014

Optional cf support
Docker-DCO-1.1-Signed-off-by: Mangled Deutz <olivier@webitup.fr> (github: dmp42)
Flake
Docker-DCO-1.1-Signed-off-by: Mangled Deutz <olivier@webitup.fr> (github: dmp42)
Capture stream write error
Docker-DCO-1.1-Signed-off-by: Mangled Deutz <olivier@webitup.fr> (github: dmp42)
Fix test
Docker-DCO-1.1-Signed-off-by: Mangled Deutz <olivier@webitup.fr> (github: dmp42)
@samalba

This comment has been minimized.

Show comment
Hide comment
@samalba

samalba May 26, 2014

Contributor

LGTM

Contributor

samalba commented May 26, 2014

LGTM

@dmp42 dmp42 added the enhancement label May 26, 2014

@dmp42 dmp42 added this to the 0.7 milestone May 26, 2014

dmp42 added a commit that referenced this pull request May 27, 2014

@dmp42 dmp42 merged commit be5849c into master May 27, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

@dmp42 dmp42 deleted the 0.7-Cloudfront branch May 27, 2014

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.