Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Only obtain a bearer token once at a time #1968

Draft
wants to merge 13 commits into
base: main
Choose a base branch
from
Draft

WIP: Only obtain a bearer token once at a time #1968

wants to merge 13 commits into from

Conversation

mtrmac
Copy link
Collaborator

@mtrmac mtrmac commented May 29, 2023

Currently, on pushes, we can start several concurrent layer pushes; each one will check for a bearer token in tokenCache, find none, and ask the server for one, and then write it into the cache.

So, we can hammer the server with 6 basically-concurrent token requests. That's unnecessary, slower than just asking once, and potentially might impact rate limiting heuristics.

Instead, serialize writes to a bearerToken so that we only have one request in flight at a time.

This does not apply to pulls, where the first request is for a manifest, which obtains a token, so subsequent concurrent layer pulls will not request a token again.

WIP: Clean up the debugging log entries.

@mtrmac mtrmac mentioned this pull request May 29, 2023
Open
mtrmac
mtrmac commented May 29, 2023
View reviewed changes
docker/docker_client.go Outdated Show resolved Hide resolved
docker/docker_client.go Outdated Show resolved Hide resolved
@mtrmac mtrmac force-pushed the shared-token branch 4 times, most recently from 84d61b4 to e2c713b Compare June 1, 2023 17:50
@mtrmac mtrmac added the kind/feature A request for, or a PR adding, new functionality label Jun 30, 2023
@mtrmac mtrmac mentioned this pull request Jul 31, 2023
Closed
@mtrmac mtrmac mentioned this pull request Apr 2, 2024
Merged
mtrmac added 13 commits April 5, 2024 18:26
@mtrmac
Use an explicit lock for dockerClient.tokenCache instead of sync.Map
8af4daa 
We will want to manage concurrency in more detail.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Make tests of newBearerTokenFromJSONBlob mostly table-based
3802d71 
... to reduce repetitiveness, and allow updating them in a single place.

Should not change (test) behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Simplify tests of newBearerTokenFromJSONBlob further
383667b 
Inline assertBearerTokensEqual . Use testify instead of manual t.Fatalf.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Split the token storage type from the JSON representation
613c939 
We will want to add locks and more to the in-memory type;
sharing that with JSON gets awkward, and an explicit separation
between the externally-imposed structure and internal records
is cleaner anyway.

For now, just introduces a separate type with the same structure,
should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Make bearerToken.Token private
3f0f675 
No need to make it a public field now.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Add tests for bearerToken.expirationTime
832f1c1 
That's the value that really matters, not the inputs;
and we will remove the inputs from bearerToken.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Remove unnecessary fields from bearerToken
0655e11 
These fields need to exist when parsing JSON; but we can just
record the outcome of processing them.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Split obtainBearerToken from dockerClient.setupRequestAuth
44fb923 
... because we will make it more complex.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Exit early from obtainBearerToken if c.registryToken is set
4858d29 
... to decrease indentation and remove a variable.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Store a pointer to a bearerTokn in tokenCache
d452c5a 
We will want to add a lock to it, so we must stop copying it by value.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Move creation of bearerToken to obtainBearerToken
68c30c8 
Instead of having getBearerToken* construct a new bearerToken
object, have the caller provide one.

This will allow us to record that a token is being obtained,
so that others can wait for it.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Move bearerToken.readFromJSONBlob closer to its callers
560f6cc 
Only moves unchanged code, should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
WIP: Only obtain a bearer token once at a time
fba06ab 
Currently, on pushes, we can start several concurrent layer pushes;
each one will check for a bearer token in tokenCache, find none,
and ask the server for one, and then write it into the cache.

So, we can hammer the server with 6 basically-concurrent token requests.
That's unnecessary, slower than just asking once, and potentially might
impact rate limiting heuristics.

Instead, serialize writes to a bearerToken so that we only have one request in
flight at a time.

This does not apply to pulls, where the first request is for a manifest;
that obtains a token, so subsequent concurrent layer pulls will not request
a token again.

WIP: Clean up the debugging log entries.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
kind/feature A request for, or a PR adding, new functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@mtrmac