-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable to apply registry configuration to stargz snapshotter #1733
Conversation
Ready for review. Currently, lazypull-related integration tests depend on containerd worker. |
@tonistiigi @AkihiroSuda PTAL 😄 |
3e50166
to
bfc1628
Compare
needs rebase |
rebased. |
The session handling in here does not look ok to me. We can't keep the session ID as ref properties. It needs to come from the caller invoking the call as sessions can drop and switch anytime. I've also started some refactoring around the lazy pull to fix some issues related to this but wip, https://github.com/tonistiigi/buildkit/pull/new/session-remote |
@tonistiigi Thanks for the comment and the refactoring patch! Based on your lazypull & session refactoring patch, this PR can be modified not to contain session IDs as ref properties in Instead, session IDs passed through |
d54eb45
to
fc91fd9
Compare
@tonistiigi @AkihiroSuda |
202df21
to
39ff855
Compare
Sorry, this got stuck. @ktock needs rebase @AkihiroSuda for re-review |
Thanks for resuming this. Rebased. |
cache/refs.go
Outdated
} | ||
dh := dhs[desc.Digest] | ||
if dh == nil { | ||
return false, nil | ||
continue // no info psased; skip |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit passed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed this.
cache/refs.go
Outdated
snapshotID := getSnapshotID(sr.md) | ||
if _, err := sr.cm.Snapshotter.Stat(ctx, snapshotID); err == nil { | ||
return true, nil | ||
func (sr *immutableRef) withRemoteSnapshotLabels(ctx context.Context, s session.Group, f func()) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this function is only called for stargz then please add it to the name. Same for the next one. Otherwise, they look expensive to be called by other code paths. Maybe even move stargz specific functions to separate file (this can be done as follow up if there is more code than these functions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the prefix StargzMode
to each function name.
https://github.com/moby/buildkit/pull/1733/checks?check_run_id=1774129959
|
All green except |
@ktock Not sure why this got stuck. Can you rebase just in case to let the test run in the new merge base. |
Rebased and bumped stargz snapshotter to the latest (v0.6.4). |
@ktock Another rebase required 😅 |
Signed-off-by: ktock <ktokunaga.mail@gmail.com>
Following-up: #1760
Related: containerd/stargz-snapshotter#149
Currently, stargz snapshotter + OCI worker can't do
~/.docker/config.json
-based authentication because the registry configurationresolver.DefaultPool.GetResolver().hostsFunc()
(including session-based authorizer*resolver.dockerAuthorizer
) isn't passed to that snapshotter. This patch addresses this issue.A remote snapshot is possibly used by multiple builds. And that snapshot's labels (including image refs, session IDs for fetching creds, etc.) for fetching that content possibly differ on each of these builds. So this commit allows these builds to append snapshot labels to that remote snapshot, every time they use that snapshots.
In this patch, on each time a remote snapshot is used, corresponding labels (containing image refs, session IDs etc.) are appended to that snapshot temporarily (so they are removed after that use). Here, these labels' keys are suffixed with unique IDs for avoiding collision among simultaneous uses of that snapshot. When the connection of that remote snapshot needs to be resolved (or refreshed), all labels appended to that snapshot at that moment are parsed and this source-related information (including session-based authorizer) is passed to the snapshotter (this is done in (cmd/buildkitd).sourceWithSession()). Then the snapshotter resolves/refreshes that snapshot's connection using that information.
*immutableRef.withRemoteSnapshotLabels()
is a function wrapper for appending remote labels to snapshots temporarily. This takes afunc()
and ensure that:func()
, remote snapshot labels contained in*immutableRef.descHandlers
are appended to all remote snapshots chained in that*immutableRef
.func()
, these labels are removed.Here, no label will be appended to non-remote snapshots.
In this patch, functions that invoke snapshotter's
Prepare
/View
/Mounts
API are wrapped with*immutableRef.withRemoteSnapshotLabels()
.The above integration is only available for oci worker. When we use containerd worker + stargz snapshotter, the registry logic is still separated.