Registry catalog #87
Registry catalog #87
Conversation
openshift-ci-robot
added
size/L
openshift-ci-robot
added
the
do-not-merge/work-in-progress
pkg/dockerregistry/server/catalog.go
Outdated
| ) error { | ||
| var start string | ||
|
|
||
| osClient, err := r.client.Client() |
There was a problem hiding this comment.
Probably user's token should be used instead. The registry cannot list imagestreams ATM, but we can be sure that user can thanks to the SAR check.
Otherwise list imagestreams needs to be added to system:registry cluster role.
There was a problem hiding this comment.
using the user's token seems reasonable to me...
pkg/dockerregistry/server/app.go
Outdated
| return r.registry.Repository(ctx, name) | ||
| } | ||
|
|
||
| func (r *registry) Repositories(ctx context.Context, repos []string, last string) (n int, err error) { |
There was a problem hiding this comment.
Also a good candidate for metrics. Suitable as a follow-up after this and #79 are merged.
pkg/dockerregistry/server/app.go
Outdated
| repositoryEnumerator RepositoryEnumerator | ||
| } | ||
|
|
||
| type registry struct { |
There was a problem hiding this comment.
Note to myself: Maybe worth its own file (to complement already existing registry_test.go).
pkg/dockerregistry/server/app.go
Outdated
| @@ -55,16 +57,44 @@ type App struct { | |||
|
|
|||
| // cache is a shared cache of digests and descriptors. | |||
| cache cache.DigestCache | |||
|
|
|||
| // repositoryEnumerator allows to enumerate repository names known to registry | |||
| repositoryEnumerator RepositoryEnumerator | |||
There was a problem hiding this comment.
This could be just the lru cache of opaque blobs. Putting on TODO.
pkg/dockerregistry/server/catalog.go
Outdated
| last string, | ||
| ) (n int, err error) { | ||
| if len(repos) == 0 { | ||
| // Client explicitely requested 0 results. Returning nil for error seems more appropriate but this is |
pkg/dockerregistry/server/catalog.go
Outdated
| // Client explicitely requested 0 results. Returning nil for error seems more appropriate but this is | ||
| // more in line with upstream does. Returning nil actually makes the upstream code panic. | ||
| // TODO: patch upstream? /_catalog?n=0 results in 500 | ||
| return 0, errors.New("no space in slice") |
There was a problem hiding this comment.
can we at least return a better error than "no space in slice", like "client requested zero entries"?
There was a problem hiding this comment.
If we'll use this API somewhere else, the message about the client will provide misleading information.
There was a problem hiding this comment.
still seems like there is a more informative message we can provide/bubble up. it's pretty much a self-inflicted+correctable error, so the error text should make that clear.. "no space in slice" makes it sound like an internal error where we ran out of memory and nothing can be done w/o changing code.
pkg/dockerregistry/server/catalog.go
Outdated
| ) error { | ||
| var start string | ||
|
|
||
| osClient, err := r.client.Client() |
There was a problem hiding this comment.
using the user's token seems reasonable to me...
pkg/dockerregistry/server/catalog.go
Outdated
| name := fmt.Sprintf("%s/%s", is.Namespace, is.Name) | ||
| if len(last) > 0 && name <= last { | ||
| if !warned { | ||
| context.GetLogger(ctx).Warnf("pagination not working -> filtering the full image stream list") |
There was a problem hiding this comment.
What should I do when I see this warning in the log?
There was a problem hiding this comment.
Check if you run the registry against different version of master API. The message seemed too long already but I can add the suggestion.
There was a problem hiding this comment.
Can this situation be handled by enumerateImageStreams, so that we don't need to spread this hack by the code?
pkg/dockerregistry/server/catalog.go
Outdated
| case nil: | ||
| err = io.EOF | ||
| default: | ||
| context.GetLogger(ctx).Errorf("failed to enumerate repositories: %v", err) |
There was a problem hiding this comment.
Do we need this? I would expect the upstream code to log this error.
There was a problem hiding this comment.
You are right, the returned error is logged, I've removed the logging statement.
pkg/dockerregistry/server/catalog.go
Outdated
| Continue: start, | ||
| }) | ||
|
|
||
| if err != nil { |
There was a problem hiding this comment.
The master may respond with 410 ResourceExpired, that should be treated as an indication to repeat the query without Continue.
There was a problem hiding this comment.
Good point, I'll handle the case.
pkg/dockerregistry/server/catalog.go
Outdated
| } | ||
|
|
||
| if len(last) > 0 { | ||
| if c, ok := r.cache.Get(last); !ok { |
There was a problem hiding this comment.
Can we use this token twice?
There was a problem hiding this comment.
Yes, from what I understand, the same token can be returned to two different clients or to two different requests.
|
Addressed most of the comments. |
|
|
||
| if len(last) > 0 { | ||
| if c, ok := r.cache.Get(last); !ok { | ||
| context.GetLogger(ctx).Warnf("failed to find opaque continue token for last repository=%q -> requesting the full image stream list instead of %d items", last, limit) |
There was a problem hiding this comment.
Not necessary, but it will add to legibility and robustness.
miminar
force-pushed
the
repository-catalog
branch
from
ee5335b
to
ef613c0
Compare
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
Added unit tests and squashed. |
miminar
force-pushed
the
repository-catalog
branch
from
ef613c0
to
7fef2aa
Compare
To sustain registry catalog API implemented in openshift/image-registry#87 Not really necessary since registry will attempt to use user's token. But a fall-back to registry client depends on this policy. Signed-off-by: Michal Minář <miminar@redhat.com>
miminar
force-pushed
the
repository-catalog
branch
2 times, most recently
from
f2f9660
to
78f5f9e
Compare
|
My main concern that it will perform poorly behind load balancers without sticky sessions. And as I can see, the optimistic way when we have an opaque token is not tested. If we are fine with slow requests, then LGTM. |
specifically the pagination you mean? |
|
Our docker-registry's service has |
openshift-bot
added
the
needs-rebase
miminar
force-pushed
the
repository-catalog
branch
from
78f5f9e
to
439bfe0
Compare
openshift-bot
removed
the
needs-rebase
|
Rebased. |
|
Re:
/retest |
|
@openshift/sig-continuous-infrastructure to rescue:
|
|
Does test-prune-images assume it has access to the docker socket on the host where the e2e test runs? IF so it should be |
|
yes it looks like hardprune.go is building an image locally to push into the registry in order to tightly control the structure of the image being produced. |
|
@smarterclayton if we mark it [local], under what conditions will it still get run? |
|
(marking it local here: openshift/origin#20061) |
|
When run as part of a single node installation.
Extended tests shouldn’t depend on local access to the node. Use a
privileged pod if you need to check host stuff (and remember, you would
fail on crio).
On Jun 21, 2018, at 1:11 PM, Ben Parees <notifications@github.com> wrote:
@smarterclayton <https://github.com/smarterclayton> if we mark it [local],
under what conditions will it still get run?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#87 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AG7fCsqIs5yIAelUtbJ-NepnV2cErGXxks5t-9O2gaJpZM4UJC8y>
.
|
@smarterclayton right, so does any of our PR testing on either origin or image-registry exercise the extended tests on a single node installation? That is my fundamental question here... once i tag the test as
I get it, trying to evaluate how urgent it is that we fix this so the test is being executed again. |
|
On Jun 21, 2018, at 6:36 PM, Ben Parees <notifications@github.com> wrote:
When run as part of a single node installation.
@smarterclayton <https://github.com/smarterclayton> right, so does any of
our PR testing on either origin or image-registry exercise the extended
tests on a single node installation? That is my fundamental question
here... once i tag the test as [local] will we still know if something
breaks it.
The master AWS job currently tests it. We will probably have a single node
oc cluster up test that may be able to use this in the future.
Extended tests shouldn’t depend on local access to the node. Use a
privileged pod if you need to check host stuff (and remember, you would
fail on crio).
I get it, trying to evaluate how urgent it is that we fix this so the test
is being executed again.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#87 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_px_VOU6ofXwAcDl_ehv1oq1pMKIpks5t_B_WgaJpZM4UJC8y>
.
|
ok, good enough, thanks. |
|
/retest |
|
/retest |
Implements the upstream repository catalog API call:
GET /v2/_catalog
Returned is a list of repository names as json:
200 OK
Content-Type: application/json
{ "repositories": [ <name>, ... ] }
Pagination is supported by mapping the last returned repository name to
the opaque continue token received from master API and using it on the
next invocation.
Signed-off-by: Michal Minář <miminar@redhat.com>
miminar
force-pushed
the
repository-catalog
branch
from
439bfe0
to
5561421
Compare
|
Rebased. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: legionus, miminar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
To sustain registry catalog API implemented in openshift/image-registry#87 Not really necessary since registry will attempt to use user's token. But a fall-back to registry client depends on this policy. Signed-off-by: Michal Minář <miminar@redhat.com>
Implements the upstream repository catalog API call:
Returned is a list of repository names as json:
Pagination is supported by mapping the last returned repository name to an opaque continue token received from master API and using it on the next invocation.
Task: https://trello.com/c/AZINw5qI
Associated origin PR to allow registry to list image stream: openshift/origin#19879
Documentation: openshift/openshift-docs#10102
TODO: