Bug 1951203: Allow users to set a limit on ICSP file size #818
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: awgreene The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
awgreene
force-pushed
the
split-large-icsp
branch
4 times, most recently
from
303e11e
to
6b8f059
Compare
awgreene
force-pushed
the
split-large-icsp
branch
4 times, most recently
from
7b6fc2d
to
da6c904
Compare
awgreene
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
Aside from test failures, this lgtm |
awgreene
force-pushed
the
split-large-icsp
branch
5 times, most recently
from
0458848
to
f5e7b34
Compare
|
Unit tests will keep failing until #821 is merged. |
|
/test e2e-metal-ipi-ovn-ipv6 |
awgreene
changed the title
openshift-ci
bot
added
the
bugzilla/severity-medium
|
@awgreene: This pull request references Bugzilla bug 1951203, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
bugzilla/invalid-bug
|
/bugzilla refresh |
openshift-ci
bot
added
the
bugzilla/valid-bug
That's why I'm pushing towards fixing the root cause of generating this many ICSP entries over exposing a flag which is confusing and might introduce a set of other problems. |
it doesn't matter why it happened. Whether or not there is another bug, it is perfectly valid to fix this command so that it cannot/does not generate ICSPs which are too big to be applied to the cluster. So we can get back to you on "why did it happen/is there a bug in the generation"(I would assume/hope the OLM team did that investigation before producing this fix, but sure, we can sanity check that) but that is not sufficient reason to block a change that makes the generation logic safer: "we know generated content larger than 1meg is invalid, so break that content up into pieces". We know the limit exists, we should update the command to respect the limit. And if we agree that it it's reasonable to protect ourselves from etcd limits, then the next question is, "should we also make that protection configurable" for which i again say "i can think of no good reason not to give ourselves that escape hatch. The addition of the flag(which has a sane default value) does not meaningfully impact users (oc adm catalog mirror has 14 flags already, many of which are not "normally" needed)" |
| for key := range registryMapping { | ||
| icsp.Spec.RepositoryDigestMirrors = append(icsp.Spec.RepositoryDigestMirrors, operatorv1alpha1.RepositoryDigestMirrors{ | ||
| Source: key, | ||
| Mirrors: []string{registryMapping[key]}, | ||
| }) | ||
| y, err := yaml.Marshal(icsp) |
There was a problem hiding this comment.
@awgreene out of curiousity, did this add any significant processing time? marshalling the icsp once for every mapping entry when there are hundreds/thousands?
There was a problem hiding this comment.
I can run a performance check but I did not see a significant change when running the tool locally with ~600 entries.
|
Thanks for all the conversation @bparees and @soltysh. The crux of the conversation seems to focus primarily around this point:
The oc adm mirror catalog is generating the correct number of ICSPs. When generating an ICSP for a catalog with the I tested the existing oc command generated from the master branch against the 4.8 RH Catalog to better understand the current size of the generated ICSP using the following command: The ICSP is 93857 bytes large and contains 579 entries, this file will continue to grow as more operators are added to the catalog. To @soltysh's point, users will probably hit the 262144 byte annotation limit, which might make 250000 bytes a more sane default. However, if any other annotations exist on the ICSP (possibly by means |
currently this PR defaults it to 1,000,000 bytes, right? If we know that a 300,000 byte ICSP will break (because the entire ICSP shows up as an annotation, aiui?), then shouldn't we default it to a 250,000 limit? In my mind the default should be the lowest value we know will prevent breakage in a standard customer environment. The point of making it user configurable is for the case where a customer environment has higher or lower limits (e.g. they tuned their etcd object size limit). |
Correct, I did not know that this annotation size limit existed until I saw @soltysh's review.
Agreed. |
Problem: It is possible for the `oc adm catalog mirror` command to generate ICSPs that are greater than 262144 bytes in size. ICSPs that exceed 262144 bytes are likely to fail when applied to the cluster if the objec already existed in an early state as the `kubectl.kubernetes.io/last-applied-configuration` annotation will likely exceed the 262144 annotation byte limit. Solution: Introduce a the max-icsp-size flag to the `oc adm catalog mirror` command, allowing users to specify the maximum byte size of ICSP files generated by the command. If an ICSP would exceed this limit, create and begin writting mirrors to a new ICSP. The default ICSP limit is 250000 bytes.
awgreene
force-pushed
the
split-large-icsp
branch
from
3c862c4
to
aa2615e
Compare
|
@bparees I set the default to 250000 in the latest version of the PR. |
|
/lgtm @soltysh if you still have concerns we can discuss on slack tomorrow, i'd like to get this fix merged before 4.8 hits code freeze EOD tomorrow. |
My default thinking is we know better than user how to properly limit these, rarely do users need to change that limit. From my experience with oc and kubectl I know that the more flags the more confusion we introduce to the users. I'm very reluctant adding more flags just in case, which is how this sounds. Having said that, I'll give you a free pass on this one 😄 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awgreene, bparees, kevinrizza, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
openshift-ci
bot
removed
the
do-not-merge/hold
|
/retest Please review the full test history for this PR and help us cut down flakes. |
6 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@awgreene: All pull requests linked via external trackers have merged: Bugzilla bug 1951203 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| icsps := [][]byte{} | ||
|
|
||
| for i := 0; len(registryMapping) != 0; i++ { | ||
| icsp, err := generateICSP(out, source+"-"+strconv.Itoa(i), maxICSPSize, registryMapping) |
There was a problem hiding this comment.
@awgreene , is there a reason to add a suffix for the name of the ICSP object we are creating?
That way, the generated object name is different than the name the user requested.
/cc @tiraboschi
There was a problem hiding this comment.
this may have another unintended consequence.
If we create an ICSP with name "myname" it will be created with "myname-0"
if we check for an ICSP with name "myname" it will not be there. So if we then create another ICSP with the name "myname" it will clash on "myname-0" already existing.
There was a problem hiding this comment.
@awgreene , is there a reason to add a suffix for the name of the ICSP object we are creating?
That way, the generated object name is different than the name the user requested.
Good morning @orenc1, thanks for taking a look at this PR. This is an intentional change. The ICSPs generated when mirroring each repository can easily exceed the:
- Maximum annotation key size when using the
oc applycommand - Maximum ETCD object store size
Using the user provided name would fail to handle either of the situations described above as the generated ICSP would be rejected when applied to the cluster.
this may have another unintended consequence.
If we create an ICSP with name "myname" it will be created with "myname-0"
if we check for an ICSP with name "myname" it will not be there. So if we then create another ICSP with the name "myname" it will clash on "myname-0" already existing.
This is true but I fail to understand how this is an issue. The second attempt to create the ICSP should notify the user that the ICSP already exists and that the ICSP has already been applied to the cluster. Furthermore, if you are concerned about removing the ICSPs, the oc adm catalog mirror --help command provides an example command for cleaning up the ICSPs it has previously generated..
No description provided.