Registry catalog

[miminar]

Implements the upstream repository catalog API call:

GET /v2/_catalog

Returned is a list of repository names as json:

200 OK
Content-Type: application/json
{ "repositories": [ <name>, ... ] }

Pagination is supported by mapping the last returned repository name to an opaque continue token received from master API and using it on the next invocation.

Task: https://trello.com/c/AZINw5qI

Associated origin PR to allow registry to list image stream: openshift/origin#19879

Documentation: openshift/openshift-docs#10102

TODO:

• - tests
• - use user token
• - app holds just a lru cache

[miminar]

@dmage, @legionus PTAL

@bparees FYI

/test

[miminar]

Probably user's token should be used instead. The registry cannot list imagestreams ATM, but we can be sure that user can thanks to the SAR check.

Otherwise list imagestreams needs to be added to system:registry cluster role.

[bparees]

using the user's token seems reasonable to me...

[miminar]

Also a good candidate for metrics. Suitable as a follow-up after this and #79 are merged.

[miminar]

Note to myself: Maybe worth its own file (to complement already existing registry_test.go).

[miminar]

This could be just the lru cache of opaque blobs. Putting on TODO.

[bparees]

explicitly

[bparees]

can we at least return a better error than "no space in slice", like "client requested zero entries"?

[dmage]

If we'll use this API somewhere else, the message about the client will provide misleading information.

[bparees]

still seems like there is a more informative message we can provide/bubble up. it's pretty much a self-inflicted+correctable error, so the error text should make that clear.. "no space in slice" makes it sound like an internal error where we ran out of memory and nothing can be done w/o changing code.

[bparees]

using the user's token seems reasonable to me...

[dmage]

What should I do when I see this warning in the log?

[miminar]

Check if you run the registry against different version of master API. The message seemed too long already but I can add the suggestion.

[dmage]

Can this situation be handled by enumerateImageStreams, so that we don't need to spread this hack by the code?

[miminar]

Sure. I'll rework it.

[dmage]

Do we need this? I would expect the upstream code to log this error.

[miminar]

You are right, the returned error is logged, I've removed the logging statement.

[dmage]

The master may respond with 410 ResourceExpired, that should be treated as an indication to repeat the query without Continue.

[miminar]

Good point, I'll handle the case.

[dmage]

Can we use this token twice?

[miminar]

Yes, from what I understand, the same token can be returned to two different clients or to two different requests.

[miminar]

Addressed most of the comments.

[bparees]

should set warned=true?

[miminar]

Not necessary, but it will add to legibility and robustness.

[miminar]

Added

[miminar]

Added unit tests and squashed.

[dmage]

My main concern that it will perform poorly behind load balancers without sticky sessions. And as I can see, the optimistic way when we have an opaque token is not tested.

If we are fine with slow requests, then LGTM.

[bparees]

My main concern that it will perform poorly behind load balancers without sticky sessions.

specifically the pagination you mean?

[miminar]

Our docker-registry's service has sessionAffinity=ClientIP by default. We can only hope that clients will not be too dumm to ask for all.

[miminar]

Rebased.

[miminar]

Re: ci/prow/e2e - Job failed. - Looks like broken environment:

failed to build "172.30.42.94:5000/e2e-test-prune-images-hnpr6/prune-schema2-all-images-false:latest" image: dial unix /var/run/docker.sock: connect: no such file or directory

/retest

[miminar]

@openshift/sig-continuous-infrastructure to rescue:

failed to build "172.30.74.83:5000/e2e-test-prune-images-dt99r/prune:latest" image: dial unix /var/run/docker.sock: connect: no such file or directory

[smarterclayton]

Does test-prune-images assume it has access to the docker socket on the host where the e2e test runs? IF so it should be [local] and excluded, or fixed to not assume that.

[bparees]

yes it looks like hardprune.go is building an image locally to push into the registry in order to tightly control the structure of the image being produced.

[bparees]

@smarterclayton if we mark it [local], under what conditions will it still get run?

[bparees]

(marking it local here: openshift/origin#20061)

[openshift-docker]

When run as part of a single node installation. Extended tests shouldn’t depend on local access to the node. Use a privileged pod if you need to check host stuff (and remember, you would fail on crio). On Jun 21, 2018, at 1:11 PM, Ben Parees <notifications@github.com> wrote: @smarterclayton <https://github.com/smarterclayton> if we mark it [local], under what conditions will it still get run? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#87 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AG7fCsqIs5yIAelUtbJ-NepnV2cErGXxks5t-9O2gaJpZM4UJC8y> .

[bparees]

When run as part of a single node installation.

@smarterclayton right, so does any of our PR testing on either origin or image-registry exercise the extended tests on a single node installation? That is my fundamental question here... once i tag the test as [local] will we still know if something breaks it.

Extended tests shouldn’t depend on local access to the node. Use a
privileged pod if you need to check host stuff (and remember, you would
fail on crio).

I get it, trying to evaluate how urgent it is that we fix this so the test is being executed again.

[smarterclayton]

On Jun 21, 2018, at 6:36 PM, Ben Parees <notifications@github.com> wrote: When run as part of a single node installation. @smarterclayton <https://github.com/smarterclayton> right, so does any of our PR testing on either origin or image-registry exercise the extended tests on a single node installation? That is my fundamental question here... once i tag the test as [local] will we still know if something breaks it. The master AWS job currently tests it. We will probably have a single node oc cluster up test that may be able to use this in the future. Extended tests shouldn’t depend on local access to the node. Use a privileged pod if you need to check host stuff (and remember, you would fail on crio). I get it, trying to evaluate how urgent it is that we fix this so the test is being executed again. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#87 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_px_VOU6ofXwAcDl_ehv1oq1pMKIpks5t_B_WgaJpZM4UJC8y> .

[bparees]

The master AWS job currently tests it. We will probably have a single node
oc cluster up test that may be able to use this in the future.

ok, good enough, thanks.

[miminar]

/retest

[legionus]

/retest

[legionus]

/lgtm

[miminar]

Rebased.

[legionus]

/lgtm
/retest

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: legionus, miminar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [legionus,miminar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[miminar]

/retest