-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support external url layers in other os also #23014
Conversation
cc: @miminar |
👍 It makes sense to enable for all Operating Systems. |
LGTM. But I'd prefer the original PR to look this way. |
it's working fine now:
|
the uploaded manifest in the registry is also fine:
|
I'm going to add some integration tests for this if I can (not sure how to bundle an image with a manifest in code, will see) |
We discussed this in the maintainers meeting, and there were no clear objections against allowing this. We do like to keep this as a separate PR, so that the original PR is not blocked by this decision. We decided to keep this PR in design review for a couple of days, in case there are other maintainers that have information we overlooked, but should be able to move forward after that 👍 |
@@ -168,6 +177,7 @@ type MountInit func(root string) error | |||
// read-only and read-write layers. | |||
type Store interface { | |||
Register(io.Reader, ChainID) (Layer, error) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than create a separate method, Register
should just take a descriptor. If no packed digest is available, it should be omitted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fine with me, I guess the linked PR should be updated as well not to clutter this interface
does @stevvooe comments apply to the original PR? |
My hope is that we can get the original PR merged as-is (very soon I am going to be unavailable for the next few weeks) and address these suggestions as part of the PR to remove the Windows-specific bits. |
I don't think it makes sense to merge the windows one and then go on with this honestly, we could end up breaking windows either. I think this should be designed thoroughly to be now os-agnostic. |
For the Created a patch to this change which illustrates what I mentioned. dmcgowan@7429a76. Further refactoring could probably be done to clean it up further but wanted to highlight what the change would look like. |
reworked @dmcgowan patch to work on linux and push forced - push/pull works in my tests again |
Yes, but #22866 will be likely merged anyways, as Windows cannot be supported without it. If you look back at my comments on #22866, most of them are to make sure no issues arise when adding wider OS support. @jstarks did a great job in ensuring the PR complied with that commentary, even though it was completely orthogonal to his goal. Remember, Docker support for Linux has been around since the beginning, whereas Windows Containers are very new. Considering this feature is limited to Windows, missteps in this regard are acceptable. A higher standard needs to be held for wider OS support to ensure we don't break backwards compatibility and, more importantly, that we don't open up a massive exploit. A few things that need to be done before getting wider OS support:
Let’s work together to get this out and make sure wider OS support is high quality. |
@stevvooe thanks - is there anyone already working on some on the points above? if not, I guess point 4) is already handled here. Could you elaborate more on the other points? |
@runcom This is something we've been discussing, in detail. Layers have an identifier known as a Currently, the management of Descriptor/Digest storage is fairly ad-hoc. We can see this in areas of the code that store just the digest then generate a descriptor from that. The correct cases are covered but we can use the properties described above to store them in a consistent way for both layers and other content, such as manifests. On the other side of this, we need to ensure that the descriptors in that store are invalidated when a layer is regenerated and the new descriptor hash does not match. Furthermore, such that when a manifest is assembled, it represents the set of layers that are actually pushed into a registry. Why does this matter for foreign layers? Up until this point, the mediatypes for layers has been fairly consistent. Using a default everywhere is sufficient. With this change, we know have a situation where the contents of the descriptor is not only unique and meaningful, but can affect the push behavior. In effect, we need to ensure that both the mediatype, used as a push policy, and the URLs are stored reliably, along with the correct digest. Let me know if you need more to go on. |
@stevvooe great, so, as part of what you highlighted - I'm going to move on with this starting from the first of your point above. IIUC, what you're saying if that we should make the |
Yes. But we also have to take measures to ensure that remains valid. There are certain cases where two registries may have the same layer stored under different digests due to divergent compression. This can be done by invalidating the descriptor and regenerating the compressed layer or maintaining a list of known descriptors for a piece of content. |
Ping to @jhowardmsft while @jstarks is away on vacation. |
What's outstanding on this? |
@jhowardmsft: First #22866 needs to be finished and merged. This PR is about extending that functionality for OS' beyond Windows, and there's still ongoing discussion about we get there. The main item I see outstanding on that #22866 is #23014 (comment) (I believe that comment was meant to go on that PR, not this one). |
d09fc38
to
7b7d635
Compare
} else { | ||
d.layer, err = d.layerStore.Register(inflatedLayerData, parentLayer) | ||
} | ||
d.layer, err = d.layerStore.Register(inflatedLayerData, parentLayer, src) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stevvooe @aaronlehmann as part of what said in earlier comments - we should store the compressed layer https://github.com/docker/docker/pull/23014/files#diff-0c4769e1568c0f439863abd30df1ceccL313 along with the descriptor - do we want to create a descriptorStore
or it's layerStore's business to store descriptor and compressed layer? (for later invalidation possibly)
I've reworked the commit to extend support to other os - left a comment above to move on implementation for wider os support |
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
ping @stevvooe @aaronlehmann where are we on this one? (@runcom this needs a rebase now) |
thx @thaJeztah - I'm waiting to get some guidance though |
I briefly discussed this, and the current situation is that we like to test Opening up this feature for "general" use can have quite some implications. Also |
I don't understand this :) can you guys actually point out a list of TODO or TOTEST things in order to move on with this? |
@runcom Mostly, we need to think about the UX and communication to users on these changes. Do you mind demonstrating what happens on the client when a foreign layer isn't available? |
isn't available can mean many thing, I think if the registry doesn't have a layer it's going to tell the user that something went wrong and the layer cannot be downloaded (I have to test this out by removing a layer from a registry and docker pull an image with that layer). Likewise, if the layer isn't available at a 3rd party host, we can do the same and just tell the user the layer isn't available. What's the issue with telling ppl a layer cannot be downloaded? |
In this context, we specifically mean, availability for download. This can be due to connectivity, authorization or simple presence. There are several cases where the
There are many issues with this. What can a user do to resolve such a problem? Do they contact Docker? Do they contact the ISV? |
So what people do when the base windows layer isn't available? I expect people to contact them directly, I don't see complication in this since windows already has this in place now. I doubt anyone would contact docker because a layer is missing from a Windows based image |
You're comparing a brand new community to one that is already established. Windows support can't work without foreign layers, whereas linux hasn't needed them.
You'd be surprised what we get contacted about. Unfortunately, this is not an area where speculation is going to work. We need to make sure the UI makes this clear. Do you not see the value of testing this out on Windows community before introducing wider OS support? |
I'm talking about the same community, irrespective of windows or linux because Docker it's supposed to work the same on both platforms (we're also talking about images which, even in the foreign layer case, it's a pretty platform independent feature). Windows users aren't dealing with a different kind of docker to me wrt images.
they're required to host the base layers themselves. What if another ISV is required to do the same and the base layer happens to be on linux? I can't believe no other ISV is looking for this and I'm sure if we compare far more linux ISV need this. So it makes sense to perhaps put this feature in the experimental channel as a start - not just for Windows.
Linux does need foreign layers also. Just because no one came with this before, it doesn't mean ppl don't need this. I'm not sure where linux hasn't needed them is coming from.
No first you say communities are different so what would be the point in windows testing this? I still think the community is one so linux or windows don't make any difference. Plus, the linux community should be wider and help us better test this whole thing out, maybe in experimental if you wish. |
From pr#22866 we learned this feature...
This has always been the case for Red Hat base layers. In fact, we spelled out the use case nearly 2 years ago, well before Windows support. One of the principles of docker from early on was to have a common user experience regardless of OS. How is it that now that the Windows OS has special treatment? |
Thanks for the PR @runcom There are a number of blockers for this right now:
All in all:
We should look into this further and figure out solutions for the concerns listed above. Hope that clarifies / helps. |
I agree but such a compatibility hack can be made in place just for older client as you said. The registry can serve and forget (cache?) the foreign layer. It's just for compatibility though. I don't feel strong about this, it seems a clean way of ensuring backward compatibility to me even if layer federation is defeated in such a case somehow.
makes sense to both points above
as long as the manifest is private it should be or am I missing something? even if some layers are hosted elsewhere
This would be great, but I believe this can be discussed separately and it's not something I would do for an MVP, but definitely worth pursuing.
we can let admins configure that in the registries.
it certainly does, thanks @dmp42, I believe I can propose something in docker/distribution as a starting point so we can further discuss your points above. Or do you have other idea about how to go with this? |
Yes, a proposal in docker/distribution would certainly be a good starting point. Agreed that authentication is not priority. About private images: if the foreign layer is not access restricted, then that part of the image can not be guaranteed to be private even if the manifest is. I would suggest you start it by collecting / listing / summarizing all (immediate, priority 0) concerns for a MVP (from all the feedback on this ticket). Be sure to ping @RichardScothern @aaronlehmann @dmcgowan and @stevvooe for help and feedback on this. Thanks again for your efforts on this @runcom |
This is based on #22866 (I'll drop @jstarks commits once merged)
I've been testing this and it works great on linux also. I still struggle to understand why we want to go windows only for this feature (sorry I haven't really understood).
The last patch just gets rid of the windows-only code and move it to the general pull_v2 file. The code seems to be working fine, I was able to use it with a registry from docker/distribution master code and I was successful in downloading a layer hosted on an external url.
Pushing is, however, pushing the layer..need to see what's happening