Add pull-from-mirror for adding per-mirror level restrictions #1411
Conversation
|
@mtrmac @vrothberg Could you review? |
QiWang19
force-pushed
the
digest-set-for-mirror
branch
from
05f001d
to
f1b55f8
Compare
QiWang19
changed the title
QiWang19
force-pushed
the
digest-set-for-mirror
branch
from
f1b55f8
to
522c3f4
Compare
QiWang19
force-pushed
the
digest-set-for-mirror
branch
2 times, most recently
from
33e1e10
to
cd80244
Compare
|
@vrothberg @mtrmac PTAL |
QiWang19
force-pushed
the
digest-set-for-mirror
branch
from
cd80244
to
dff5d35
Compare
|
@vrothberg PTAL. |
QiWang19
force-pushed
the
digest-set-for-mirror
branch
2 times, most recently
from
f23b1f1
to
d3363ea
Compare
|
@mtrmac PTAL |
QiWang19
force-pushed
the
digest-set-for-mirror
branch
from
d3363ea
to
ffb4bb3
Compare
|
@mtrmac Could you review? |
QiWang19
force-pushed
the
digest-set-for-mirror
branch
from
ffb4bb3
to
cfc5a3a
Compare
|
@mtrmac Could you review? |
There was a problem hiding this comment.
I apologize for the late response.
This does work fine, and it’s perfectly sufficient for correctness.
OTOH it doesn’t implement openshift/enhancements#929 as currently proposed. That enhancement has a separate list of per-digest mirrors and per-tag mirrors, i.e. it is possible to have a tag-only mirror.
I can imagine, with absolutely no data, that some users might want to use “cheap” mirrors for digested references, and only use “more expensive”, better-secured, mirrors for tagged references. But even in that hypothetical case, I find it fairly hard to argue that they’d rather have a failed pull than use the “more expensive” mirror.
So, for c/image, I think this could well be sufficient — and users might set up the configuration so that digest-only mirrors are listed before the digest+tag mirrors, if they wanted to avoid use of a “costly” digest+tag mirror.
But it’s pretty surprising to introduce the OpenShift feature, and this underlying design for an implementation of the OpenShift feature, at the same time, but not have them do exactly the same thing. So either c/image should allow configuring tag-only mirrors, or the OpenShift CR should be changed so that the “tag” mirrors are documented to also be used for digested references.
It’s somewhat likely that there was an earlier conversation about this that I can’t remember/find; is there?
Except I can find #1407 (comment) , so it’s quite possible that the current inconsistent state of things is my fault. If that’s the case, I’m sorry.
docs/containers-registries.conf.5.md
Outdated
| Also note that if all mirrors in the `mirror` array have `digest-only = true`, images referenced by a tag will only use the primary | ||
| registry, failing if that registry is not accessible. |
There was a problem hiding this comment.
I don’t think we need the note about only using the primary twice; it’s a side point and not that important.
Maybe leave the note in the previous location (which is “outside” of the mirror-by-digest-only definition list entry anyway), and just write “if all mirrors are configured to be digest-only”, without mentioning a specific field name.
There was a problem hiding this comment.
The digest-only copy will, I assume be removed — then the only copy of this note should be a separate paragraph, not a part of the mirrors-by-digest-only paragraph.
| @@ -675,6 +675,72 @@ func TestPullSourcesFromReference(t *testing.T) { | |||
| assert.Equal(t, 1, len(pullSources)) | |||
| } | |||
|
|
|||
| func TestPullSourcesMirrorFromReference(t *testing.T) { | |||
| sys := &types.SystemContext{ | |||
There was a problem hiding this comment.
To make it easier for the future, could TestPullSourcesFromReference be modified to use the same table-driven format, and then these tests added to that function, without adding a new config file?
It’s a bit out of scope (especially with the testing for Location/Insecure), so I’m perfectly fine with doing that work myself later, in a separate PR.
There was a problem hiding this comment.
ok, I'd leave that to you.
QiWang19
force-pushed
the
digest-set-for-mirror
branch
from
cfc5a3a
to
6603bcd
Compare
Does the tag-only mirrors mean the registry reference without tag should be rejected in the case? The openshift/enhancements#929 proposed to allow using tags, not to limit the use to tag-only. |
|
By tag-only mirrors I mean mirrors that aren’t used for digested references. Digested references would only use digest-only mirrors (if any), not the tag-only mirrors, and the primary (non-mirror) location. The enhancement’s Given ISDP ( I don’t have a very strong opinion on whether to change this implementation or the OpenShift CR. |
The former one follows current implementation, like the testcase I think you mean the digest example, |
Yes, my mistake. Thanks. |
|
@mtrmac I fixed the reviews, PTAL. |
There was a problem hiding this comment.
Thanks! The implementation LGTM, just some test and documentation nits.
I don’t think it would be reasonable to block this PR on the inconsistency with OpenShift plans, per #1411 (review) . But I do hope there’s some plan to address that.
I suppose another c/image PR that adds another per-mirror option can land later, or something.
| pullSource, err := registry.PullSourcesFromReference(digestedRef) | ||
| assert.Nil(t, err) | ||
| for i, s := range tc.digestSources { | ||
| assert.Equal(t, s, pullSource[i].Endpoint.Location) |
There was a problem hiding this comment.
Absolutely non-blocking: Testing pullSource[i].Reference would be more directly related to the end-user-wanted behavior.
But this works just fine, and I can clean that up later when unifying the two tests.
QiWang19
force-pushed
the
digest-set-for-mirror
branch
from
6603bcd
to
eea9df4
Compare
QiWang19
force-pushed
the
digest-set-for-mirror
branch
3 times, most recently
from
84f966d
to
165cb39
Compare
|
@vrothberg @mtrmac PTAL. |
QiWang19
force-pushed
the
digest-set-for-mirror
branch
from
165cb39
to
0549bd7
Compare
|
@mtrmac Could you review it? |
QiWang19
force-pushed
the
digest-set-for-mirror
branch
from
0549bd7
to
be9bfd1
Compare
|
@vrothberg @mtrmac PTAL |
| switch mirror.PullFromMirror { | ||
| case MirrorByDigestOnly: | ||
| if !isDigested { | ||
| continue | ||
| } | ||
| endpoints = append(endpoints, mirror) | ||
| case MirrorByTagOnly: | ||
| if isDigested { | ||
| continue | ||
| } | ||
| endpoints = append(endpoints, mirror) | ||
| default: | ||
| endpoints = append(endpoints, mirror) | ||
| } |
There was a problem hiding this comment.
| switch mirror.PullFromMirror { | |
| case MirrorByDigestOnly: | |
| if !isDigested { | |
| continue | |
| } | |
| endpoints = append(endpoints, mirror) | |
| case MirrorByTagOnly: | |
| if isDigested { | |
| continue | |
| } | |
| endpoints = append(endpoints, mirror) | |
| default: | |
| endpoints = append(endpoints, mirror) | |
| } | |
| switch mirror.PullFromMirror { | |
| case MirrorByDigestOnly: | |
| if !isDigested { | |
| continue | |
| } | |
| case MirrorByTagOnly: | |
| if isDigested { | |
| continue | |
| } | |
| } | |
| endpoints = append(endpoints, mirror) |
QiWang19
force-pushed
the
digest-set-for-mirror
branch
from
be9bfd1
to
5d29fb7
Compare
Close: containers#1407 Add pull-from-mirror: all, digest-only, tag-only for adding per-mirror level restrictions to image pull through mirrors. The `mirror-by-digest-only` for primary is still allowed configuring, and it is honored for compatibility Signed-off-by: Qi Wang <qiwan@redhat.com>
QiWang19
force-pushed
the
digest-set-for-mirror
branch
from
5d29fb7
to
0642df2
Compare
|
@vrothberg @mtrmac PTAL. This is ready to get merged. |
|
@mtrmac @vrothberg can we have a new release for this feature? |
|
Sure, a new release sounds fine. @vrothberg WDYT? Is there any reason not to, or anything urgent we should finish first? |
|
Releasing now SGTM. Thanks for working on this, @QiWang19! |
|
#1514 filed to release v5.21.0. |
Follow up PR: containers#1411 (comment) Merge the test and test data of TestPullSourcesMirrorFromReference to TestPullSourcesFromReference Signed-off-by: Qi Wang <qiwan@redhat.com>
Follow up PR: containers#1411 (comment) Merge the test and test data of TestPullSourcesMirrorFromReference to TestPullSourcesFromReference Signed-off-by: Qi Wang <qiwan@redhat.com>
Follow up PR: containers#1411 (comment) Merge the test and test data of TestPullSourcesMirrorFromReference to TestPullSourcesFromReference Signed-off-by: Qi Wang <qiwan@redhat.com>
Follow up PR: containers#1411 (comment) Merge the test and test data of TestPullSourcesMirrorFromReference to TestPullSourcesFromReference Signed-off-by: Qi Wang <qiwan@redhat.com>
Follow up PR: containers#1411 (comment) Merge the test and test data of TestPullSourcesMirrorFromReference to TestPullSourcesFromReference Signed-off-by: Qi Wang <qiwan@redhat.com>
Close: #1407
Add pull-from-mirror: all, digest-only, tag-only for adding per-mirror level restrictions
The
mirror-by-digest-onlyfor primary is still allowed configuring,and it is honored for compatibility
Signed-off-by: Qi Wang qiwan@redhat.com