Add capabiltity to specify sources for release image content#1910
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
added
size/XXL
abhinavdahiya
force-pushed
the
release_image_sources
branch
from
493aaed to
0e20555
Compare
There was a problem hiding this comment.
Note that today the release image and the release image content are not in the same repository (quay.io/openshift-release-dev/ocp-release and ocp-4.0-art-dev-latest). In the future we anticipate moving the content to other locations transparently as we update (to different repos or registries), and we may want to change that after install time, rather than before (i.e. we may not want to hardcode that in the installer, since that is within the payload).
There was a problem hiding this comment.
Maybe add a section in here "How to populate the ReleaseImageSources field", and my suggestion would be that we have the mirror command create the correct values that a user cuts and pastes. That allows release mirror to calculate all the values.
There was a problem hiding this comment.
Implementing the changes to the mirror command here openshift/origin#23381
There was a problem hiding this comment.
Should we consider calling this ReleaseImageSourceRepositories or is that too wordy?
abhinavdahiya
force-pushed
the
release_image_sources
branch
2 times, most recently
from
ce93e2d to
903b3f8
Compare
There was a problem hiding this comment.
If this is an ordered list, don't we want the primary repository to be listed at the end so that the user knows that the mirrors will be tried first and primary last.
Also, since repositoryDigestMirrors is just a list of sources, we don't really know what the primary repo is, does it mean registries.conf should have an entry for each source listed as the primary? Something like if repoistoryDigestMirrors: A, B, C, D then registries.conf will have the following entries
[[registry]]location = A; mirrors = B, C, D
[[registry]]location = B; mirrors = A, C, D
[[registry]]location = C; mirrors = A, B, D
[[registry]]location = D; mirrors = A, B, C
There was a problem hiding this comment.
Actually, if repositoryDigestMirrors is supposed to be a consistent order, the mirrors list would also be the same, and include the primary one:
[[registry]]location = A; mirrors = A, B, C, D
[[registry]]location = B; mirrors = A, B, C, D
[[registry]]location = C; mirrors = A, B, C, D
[[registry]]location = D; mirrors = A, B, C, D
(and registries.conf would be modified not to contact the primary one again if it is already listed in mirrors.)
WRT this PR:
ReleaseImageSourcesshould document whetherrepositoryorsources.repositoryis supposed to be accessed first. Assumingrepositoryis the internet-accessible pull spec andsources.repositoryis the list of. mirrors, presumably the mirrors should be tried first.- The example of generated
repositoryDigestMirrors(and the code generating it) should generate an array of repositories in the order in which they should be attempted; Again, assumingrepositoryis the internet-accessible pull spec andsources.repositoryis the list of. mirrors, and that the mirrors should be tried first, the example above should havelocal.registry.comentries beforeq.ioentries in eachsourcesarray.
There was a problem hiding this comment.
I think in general mirrors should be preferred (we get an advantage in both cases) when specified.
There was a problem hiding this comment.
should be "continues to be controlled"
There was a problem hiding this comment.
remove "a" after "mirrors the"
abhinavdahiya
force-pushed
the
release_image_sources
branch
from
903b3f8 to
7a63019
Compare
abhinavdahiya
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
[core@adahiya-0-mbz67-bootstrap ~]$ ls -lah /etc/containers/registries.conf
-rw-------. 1 root root 924 Jun 28 23:14 /etc/containers/registries.conf
[core@adahiya-0-mbz67-bootstrap ~]$ cat /etc/containers/registries.conf
[[registry]]
location = "local.registry.com/ocp/release"
insecure = false
mirror-by-digest-only = true
[[registry.mirror]]
location = "registry.svc.ci.openshift.org/origin/release"
insecure = false
[[registry.mirror]]
location = "registry.svc.ci.openshift.org/origin/4.1-2019-06-27-223758"
insecure = false
[[registry]]
location = "registry.svc.ci.openshift.org/origin/release"
insecure = false
mirror-by-digest-only = true
[[registry.mirror]]
location = "local.registry.com/ocp/release"
insecure = false
[[registry.mirror]]
location = "registry.svc.ci.openshift.org/origin/4.1-2019-06-27-223758"
insecure = false
[[registry]]
location = "registry.svc.ci.openshift.org/origin/4.1-2019-06-27-223758"
insecure = false
mirror-by-digest-only = true
[[registry.mirror]]
location = "local.registry.com/ocp/release"
insecure = false
[[registry.mirror]]
location = "registry.svc.ci.openshift.org/origin/release"
insecure = false
[core@adahiya-0-mbz67-bootstrap ~]$ journalctl -fu bootkube
-- Logs begin at Fri 2019-06-28 23:13:34 UTC. --
Jun 28 23:16:06 adahiya-0-mbz67-bootstrap systemd[1]: bootkube.service: Main process exited, code=exited, status=125/n/a
Jun 28 23:16:06 adahiya-0-mbz67-bootstrap systemd[1]: bootkube.service: Failed with result 'exit-code'.
Jun 28 23:16:12 adahiya-0-mbz67-bootstrap systemd[1]: bootkube.service: Service RestartSec=5s expired, scheduling restart.
Jun 28 23:16:12 adahiya-0-mbz67-bootstrap systemd[1]: bootkube.service: Scheduled restart job, restart counter is at 21.
Jun 28 23:16:12 adahiya-0-mbz67-bootstrap systemd[1]: Stopped Bootstrap a Kubernetes cluster.
Jun 28 23:16:12 adahiya-0-mbz67-bootstrap systemd[1]: Started Bootstrap a Kubernetes cluster.
Jun 28 23:16:12 adahiya-0-mbz67-bootstrap bootkube.sh[2799]: Pulling release image...
Jun 28 23:16:12 adahiya-0-mbz67-bootstrap bootkube.sh[2799]: error pulling image "registry.svc.ci.openshift.org/origin/release:4.2": unable to pull registry.svc.ci.openshift.org/origin/release:4.2: unable to pull image: Error initializing source docker://registry.svc.ci.openshift.org/origin/release:4.2: error loading registries: invalid URL: cannot be empty
[core@adahiya-0-mbz67-bootstrap ~]$ crio --version
crio version 1.13.9-1.rhaos4.1.gitd70609a.el8@umohnani8 |
|
@abhinavdahiya v2 registry support was added in cri-o 1.14 cri-o/cri-o#2494. We released cri-o 1.14 for OpenShift last week, I believe it should be in 4.2 soon, if not there already. @mrunalp do you know the timeline for cri-o 1.14 showing up in 4.2 clusters? |
|
It is blocked on a RCM update of a dependency. Hopefully should be done tomorrow.
… On Jun 30, 2019, at 3:34 PM, Urvashi Mohnani ***@***.***> wrote:
@abhinavdahiya v2 registry support was added in cri-o 1.14 cri-o/cri-o#2494. We released cri-o 1.14 for OpenShift last week, I believe it should be in 4.2 soon, if not there already. @mrunalp do you know the timeline for cri-o 1.14 showing up in 4.2 clusters?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
There was a problem hiding this comment.
This would be better with ParseNormalizedNamed. ParseNamed is ParseNormalizedNamed+ a check that the input is in one specified form (i.e. you must say docker.io/openshift/foo instead of openshift/foo).
Sure, assuming the content is not going to be hosted on docker.io, this does not matter all that much for this code.
It’s rare that you need to forbid the alternative forms, but copy&pasting code across projects could cause the ParseNamed calls to spread to other user-facing code that should accept other forms and use ParseNormalizednamed.
OTOH the tests do explicitly test for rejecting the implied-docker.io forms, so if this was intentional, fine.
BTW if this is going to be long-term supporting Windows/containerd / whole-registry mirrors, note that Parse{Normalized,}Named does not accept registry hostnames (without repository specification). Everything here says “repository”, so it’s OK right now.
There was a problem hiding this comment.
So I think we do want to make sure people use complete names. no implicit names are allowed.
BTW if this is going to be long-term supporting Windows/containerd / whole-registry mirrors, note that Parse{Normalized,}Named does not accept registry hostnames (without repository specification)
can you expand a little with examples of how this will break for windows...?
There was a problem hiding this comment.
reference.ParseNamed("a.example.com") interprets the input as docker.io/library/a.example.com and rejects it with "repository name must be canonical".
There was a problem hiding this comment.
reference.ParseNamed("a.example.com")interprets the input asdocker.io/library/a.example.comand rejects it with"repository name must be canonical".
I think it is rejecting it correctly right?
There was a problem hiding this comment.
Yes, “correctly” in the sense that the code wanted a repository in canonical form, the input was not a repository in canonical form.
Just pointing out that eventually we might need to support hostnames as well — but the validation can certainly be relaxed (or a separate, differently-validated field, can be added) later when/if that arises.
There was a problem hiding this comment.
… FWIW the context is that CRI-O does not currently run on Windows, and containerd’s mirroring configuration is only at the registry (= host:port) resolution. (Of course, this particular bit of configuration would be one of the smaller things that need changing, the whole mirroring process would need adapting for the idea that the mirror must mirror all of (the relevant parts of) the registry, not just a single repository.)
There was a problem hiding this comment.
Couldn’t this just encode a sysregistriesv2.V2RegistriesConf object directly instead of hard-coding the current set of fields of $r?
There was a problem hiding this comment.
… sorry, probably not trivially in the template language, without adding helpers at least.
openshift-ci-robot
added
the
needs-rebase
|
@abhinavdahiya cri-o 1.14 is in 4.2 now. Tests should pass now after rebase |
abhinavdahiya
force-pushed
the
release_image_sources
branch
from
7a63019 to
4cdd053
Compare
openshift-ci-robot
removed
the
needs-rebase
abhinavdahiya
force-pushed
the
release_image_sources
branch
from
8e8f464 to
08cce62
Compare
openshift-ci-robot
added
the
needs-rebase
abhinavdahiya
force-pushed
the
release_image_sources
branch
from
08cce62 to
5812499
Compare
openshift-ci-robot
removed
the
needs-rebase
|
/retest |
|
/retest |
pkg/types/installconfig.go
Outdated
There was a problem hiding this comment.
Before we hit GA we should clean up this description, I think it's fine for now.
|
API is fine, we can clean up godoc later. Do you need deeper review than that? |
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/retest |
|
@abhinavdahiya needs rebase. |
The documents outlines the proposal and details for using alternate source/repositories for release-image. The proposal is driven by the fact that, only flows using the `oc adm release mirror` to create the alternate sources for release-image will be supported.
* ImageContentSources is the list of sources/repositories for pulling a content. * Adds the validation that all the repositories in the ImageContentSources must be fully-qualified names [1], and ensuring each group of sources is a disjoint set. [1]: https://github.com/containers/image/blob/abf32c4ea589cb8e96bdca5a478dba68f11980e5/docker/reference/regexp.go#L53-L56
…s.conf for bootstap * Creates a new asset releaseimage.Image for generating the release-image. * Updates the ignition.bootstrap to use the releaseimage.Image asset to calculate the release-image * also updates the `version` subcommand to find the embedded default release-image from new package. * creates the containers-registries.conf file from the ImageContentSources from InstallConfig
…for the release-image * Create a ImageContentSourcePolicy [1] cluster scoped object with name `release-image` * Uses the releaseimage.Sources asset to generate the `RepositoryDigestMirrors` [2] for the release-image [1]: https://github.com/openshift/api/blob/de5ca909c7322bb8d06fa5a9e5604491b373da52/operator/v1alpha1/types_image_content_source_policy.go#L11 [2]: https://github.com/openshift/api/blob/de5ca909c7322bb8d06fa5a9e5604491b373da52/operator/v1alpha1/types_image_content_source_policy.go#L35
…ub.com/openshift/api * github.com/containers/image : helps in validation of image references and creating the containers-registries.conf [1] for bootstrap node. * github.com/openshift/api : brings in the ImageContentSourcePolicy type [2] [1]: https://github.com/containers/image/blob/v2.0.0/docs/containers-registries.conf.5.md#name [2]: https://github.com/openshift/api/blob/de5ca909c7322bb8d06fa5a9e5604491b373da52/operator/v1alpha1/types_image_content_source_policy.go#L11
abhinavdahiya
force-pushed
the
release_image_sources
branch
from
30c1084 to
bea5193
Compare
| Release Image q.io/ocp/release-x.y@sha256:abcd was successfully mirrored to local.registry.com/ocp/release-x.y@sha256:abcd | ||
|
|
||
| Following section can be added to the install-config.yaml to create a cluster using new repository: | ||
| imageContentSources: |
There was a problem hiding this comment.
Should this be imageContentSource:? I'm seeing both in this code and I need to align with my PR for oc. openshift/origin#23381
There was a problem hiding this comment.
i think it needs to be imageContentSources based on the json tag on the actual install-config
https://github.com/openshift/installer/blame/bea51930a0e49b5da2fb58f2184ba27e79ceeb6c/docs/dev/alternative_release_image_sources.md#L29
There was a problem hiding this comment.
Thanks! I'll update the mirror command.
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, patrickdillon The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/skip |
|
/test e2e-aws |
|
@abhinavdahiya: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
…sage This code-branch should be very rare, probably mostly internal testing. A chattier line in those situations isn't a big user-experience concern, and including the pullspec makes it easier for folks who are trying to understand internal-test results to figure out which pullspec was being used. The log line is originally from 456a373 (pkg: Use the sources from InstalConfig to create containers-registries.conf for bootstap, 2019-06-28, openshift#1910), and it was tweaked in cd0b70f (asset: Make warning message read for humans, 2019-09-15, openshift#2361), and neither of those make explicit arguments for why they didn't include the pullspec.
10 participants
add new fields to allow specifying the sources for release image
setup the bootstrap node with mirrors
/etc/containers/registries.confAdds a new asset releaseimage.Source that uses the ReleaseImageSources to calculate the sources for release-image.
Adds the containers-registries.conf template to create the registry sections [1], when more than one sources have been configured for the release-image.
For a list of sources, the containers-registries.conf is setup so that each source can use all the other sources in the list as the mirror.
for example, if the list of sources is a, b, c, d, then the containers-registries.conf is setup like:
registry = a, mirrors = b, c, d
regsitry = b, mirrors = a, c, d
registry = c, mirrors = a, b, d
registry = d, mirrors = a, b, c
For each registry only mirror-by-digest is set to true.
push the image content source policy object for release image
ImageContentSourcePolicycluster scoped object with namerelease-imageImageContentSourcePolicy'sRepositoryDigestMirrorsfor the release-image.