*: implement additional pull registries #674
Conversation
|
I need feedback from tests/CI and still need to add integration tests, do not merge (but review appreciated) |
9c42a7c to
54aa085
Compare
54aa085 to
4e164e8
Compare
|
87/87 passed on RHEL - Passed. 87/87 passed on Fedora - Passed. 87/87 passed on CentOS - Passed. |
|
0/0 passed on RHEL - Passed. 0/0 passed on Fedora - Passed. 0/0 passed on CentOS - Passed. |
4e164e8 to
b32e73a
Compare
pkg/storage/image.go
Outdated
|
|
||
| if len(additionalRegistries) == 0 { | ||
| // TODO(runcom): make docker.io a CONST | ||
| additionalRegistries = []string{"docker.io"} |
There was a problem hiding this comment.
Should we add a default registry to replace docker.io and put this in the config file. Then add additional registries, that way we don't hard code docker.io into the tool?
I think we should use Trust/signing to block registries, so there is no reason to add that functionality here.
There was a problem hiding this comment.
indeed, I will change the config file to have "docker.io" in it by default so that we don't hardcode docker.io
There was a problem hiding this comment.
Perhaps the flag should just be registries, and we allow users to add a list of registries, with docker.io as the default.
| @@ -0,0 +1,123 @@ | |||
| package storage | |||
There was a problem hiding this comment.
Should this be in storage or pkg/registries?
There was a problem hiding this comment.
It's about image naming, irrespective of registries I guess
server/image_pull.go
Outdated
| options := ©.Options{ | ||
| SourceCtx: &types.SystemContext{}, | ||
| } | ||
| // a not empty username should be sufficient to decide whether to send auth |
There was a problem hiding this comment.
// Specifiying a username indicates the user intends to send authentication to the registry.
There was a problem hiding this comment.
@runcom Can you change the comment above to match my previous comment.
|
87/87 passed on RHEL - Passed. 87/87 passed on Fedora - Passed. 87/87 passed on CentOS - Passed. |
| separatorRegexp = match(`(?:[._]|__|[-]*)`) | ||
|
|
||
| // nameComponentRegexp restricts registry path component names to start | ||
| // with at least one letter or number, with following parts able to be |
There was a problem hiding this comment.
Suggestion: For these more complicated regexp's, it would be nice to have an example of what a valid object would look like in the comments.
There was a problem hiding this comment.
Also have you written tests for these? It would be nice to have a test fail is someone later edits one of these and messes it up.
There was a problem hiding this comment.
I have to write a huge comment at the beginning of this as this is a forked version from Docker/distribution. Nobody should never edit this, as for test coverage, this should stay as is.
b32e73a to
35b1a26
Compare
|
Updated not-to hardcode docker.io in go files, now we just generate the config with "docker.io" just to maintain compatibility but hopefully we can get rid of that and indeed distros can generate config w/o docker at all. I'll add tests and changes to man pages now. |
35b1a26 to
877a641
Compare
cmd/crio/config.go
Outdated
| # image (e.g. fedora:rawhide). "docker.io" is left here as a default registry. | ||
| # Users can remove it and use whatever default registry they need. | ||
| registries = [ | ||
| "docker.io", |
There was a problem hiding this comment.
I am not sure this will work, since config reads the host config and will append docker.io onto a list even if docker.io is already on the list. Might be better off leaving this to the distribution.
There was a problem hiding this comment.
docker.io should go at the end not the beginning.
There was a problem hiding this comment.
I don't know, Docker.io is still a default since w/o this string the config isn't a working config. One can do "crio config" and get a broken config since no registries are configured. How do we deal with that?
There was a problem hiding this comment.
I think it will still default to docker.io in containers/image? My problem with this is if I wanted to specify no registies, config will still show docker.io. And if I have docker.io in my config, this code will show
docker.io docker.io
There was a problem hiding this comment.
Even if it still defaults to docker.io in containers/image we need to have a way to still have a default for docker.io when pulling unqualified images because that's just what people expect (and what we do in RHEL right now, unless people actually block docker.io).
I'm fine leaving this to distro but bear in mind crio is going to error out if nobody add a registry here.
There was a problem hiding this comment.
@rhatdan could you provide an example of using this PR and having the double "docker.io" entry there?
There was a problem hiding this comment.
@rhatdan the double "docker.io" issue is not an issue (the last command totally overrides the docker.io entry also):
$ cat test.config| grep docker.io
"docker.io",
$ sudo ./crio --config test.config --debug --registry docker.io --registry test.redhat.com
DEBU[2017-08-01 10:28:44.630508363+02:00] runcom [docker.io test.redhat.com]
$ sudo ./crio --configtest.config --debug --registry test.rhel.com
DEBU[2017-08-01 10:29:49.679527671+02:00] runcom [test.rhel.com]
You can see docker.io isn't added twice.
There was a problem hiding this comment.
I added a ;piece of code to remove duplicates though.
There was a problem hiding this comment.
What does
$ sudo ./crio --config test.config --registry test.rhel.com | grep docker.io
Show?
What does the list of registries show? It should show docker.io and test.rhel.com from my understanding of the code. But if I remove docker.io from test.config and run the same test does it show just test.rhel.com and NO docker.io? That is the problem, but it is probably not a big deal since the config command is probably only run in rpm.
There was a problem hiding this comment.
What does
$ sudo ./crio --config test.config --registry test.rhel.com | grep docker.io
Show?
What does the list of registries show? It should show docker.io and test.rhel.com from my understanding of the code
@rhatdan this shows just test.rhel.com - is that ok? CLI flags overrides config.
But if I remove docker.io from test.config and run the same test does it show just test.rhel.com and NO docker.io? That is the problem
it will still shows NO docker.io
cmd/crio/config.go
Outdated
| {{ range $opt := .InsecureRegistries }}{{ printf "\t%q,\n" $opt }}{{ end }}] | ||
| # registries is used to specify registries to be used when pulling an unqualified | ||
| # image (e.g. fedora:rawhide). "docker.io" is left here as a default registry. |
There was a problem hiding this comment.
Remove comment about docker.io.
cmd/crio/main.go
Outdated
| }, | ||
| cli.StringSliceFlag{ | ||
| Name: "registry", | ||
| Usage: "list of registies used when pulling unqualified images", |
There was a problem hiding this comment.
list of registries to prepend when pulling unqualified images.
There was a problem hiding this comment.
Registry to be prepended when pulling unqualified images, can be specified multiple times.
cmd/crio/main.go
Outdated
| } | ||
|
|
||
| if len(config.Registries) == 0 { | ||
| logrus.Fatal("no registries configured. Please add registries with the --registry flag") |
There was a problem hiding this comment.
Is this actually an error, or does it just force users to use fully qualified images
There was a problem hiding this comment.
I'm torn between leaving this error or do as you said, force people to use fully qualify images. However, I think we should go with the latter (error out) so we don't risk to break kubernetes at all (since many users still use unqualified images in prod)
docs/crio.8.md
Outdated
| Print usage statement | ||
|
|
||
| **--insecure-registry=** | ||
| List of registries to enable insecure communication with |
There was a problem hiding this comment.
--insecure-registry=[]
Enable insecure registry communication, i.e., enable un-encrypted
and/or untrusted communication.
List of insecure registries can contain an element with CIDR notation
to specify a whole subnet. Insecure registries accept HTTP and/or
accept HTTPS with certificates from unknown CAs.
Enabling --insecure-registry is useful when running a local registry.
However, because its use creates security vulnerabilities it should
ONLY be enabled for testing purposes. For increased security, users
should add their CA to their system's list of trusted CAs instead of
using --insecure-registry.
docs/crio.8.md
Outdated
| CRIO root dir (default: "/var/lib/containers/storage") | ||
|
|
||
| **--registry**="" | ||
| List of registries to be used when pulling an unqualified image |
There was a problem hiding this comment.
Is this a list or something that can be specified multiple times?
There was a problem hiding this comment.
This is the same as insecure registries flag, so it's a flag which can be specified multiple times.
There was a problem hiding this comment.
Then the comment should say
Registry host which will be prepended to unqualified images, can be specified multiple times.
|
|
||
| **insecure_registries**="" | ||
| List of registries to enable insecure communication with | ||
|
|
There was a problem hiding this comment.
--insecure-registry=[]
Enable insecure registry communication, i.e., enable un-encrypted
and/or untrusted communication.
List of insecure registries can contain an element with CIDR notation
to specify a whole subnet. Insecure registries accept HTTP and/or
accept HTTPS with certificates from unknown CAs.
Enabling --insecure-registry is useful when running a local registry.
However, because its use creates security vulnerabilities it should
ONLY be enabled for testing purposes. For increased security, users
should add their CA to their system's list of trusted CAs instead of
using --insecure-registry.
docs/crio.conf.5.md
Outdated
| Image which contains the pause executable (default: "kubernetes/pause") | ||
|
|
||
| **registries**="" | ||
| List of registries to be used when pulling an unqualified image |
There was a problem hiding this comment.
If it is a list how do I specify it?
There was a problem hiding this comment.
I'll add "comma separated list of registeies"
|
81/81 passed on RHEL - Passed. 81/81 passed on Fedora - Passed. 81/81 passed on CentOS - Passed. |
76c6274 to
3a6a62b
Compare
pkg/storage/image.go
Outdated
| } | ||
|
|
||
| if len(cleanRegistries) == 0 { | ||
| return nil, errors.New("no registries configured. Please add registries with the --registry flag") |
There was a problem hiding this comment.
Why am I required to have a registry defined? Can't a user say that he always requires fully qualified names?
There was a problem hiding this comment.
I'm fine with that - @mrunalp wdyt?
There was a problem hiding this comment.
👍 to allowing fully qualified names always.
server/image_pull.go
Outdated
| options := ©.Options{ | ||
| SourceCtx: &types.SystemContext{}, | ||
| } | ||
| // a not empty username should be sufficient to decide whether to send auth |
There was a problem hiding this comment.
@runcom Can you change the comment above to match my previous comment.
server/server.go
Outdated
| } | ||
|
|
||
| imageService, err := storage.GetImageService(store, config.DefaultTransport, config.InsecureRegistries) | ||
| imageService, err := storage.GetImageService(store, config.DefaultTransport, config.InsecureRegistries, config.Registries) |
There was a problem hiding this comment.
nit: shouldn't registries come before insecureregistries.
There was a problem hiding this comment.
mmm they are unrelated, I guess it's personal taste, if you want I'll have Registries comes first
There was a problem hiding this comment.
I guess so, thats why it was a nit.
pkg/storage/image.go
Outdated
| // normalize the unqualified image to be domain/repo/image... | ||
| images := []string{} | ||
| for _, r := range svc.registries { | ||
| if r == dockerRegistry { |
There was a problem hiding this comment.
Is this really necessary? Won't containers/image treat docker.io://imageName correctly?
There was a problem hiding this comment.
yes, but I guess it's cleaner to pass down the unqualified image (as I do here) instead of passing down "docker.io/imageName"
There was a problem hiding this comment.
I would rather remove the reference to docker.io and allow containers/image to do its thing. You are building in assumptions about containers/image that could change in the future. I think we should treat them all the same.
|
81/81 passed on RHEL - Passed. 81/81 passed on Fedora - Passed. 81/81 passed on CentOS - Passed. |
|
My pull request is doing the same thing, in that we are defaulting storage to /etc/containers/storage.conf and then allowing crio.conf to override it, but by default content comes out of registries. I agree with @baude but I think /etc/containers/registry.conf, (We should use it for buildah as well.) |
|
LGTM |
3a6a62b to
7787d67
Compare
|
Just push-forced with latest changes - @mrunalp PTAL |
|
This looks fine. Let us wait for the tests to return. |
|
Test failure: |
|
Yeah, got that, I'm fixing it (and writing the blog post simultaneously) |
|
6/7 passed on RHEL - Failed. 6/7 passed on Fedora - Failed. 30/54 passed on CentOS - Failed. |
7a65d8d to
d173e1f
Compare
|
30/31 passed on RHEL - Failed. 30/31 passed on Fedora - Failed. 30/31 passed on CentOS - Failed. |
6a37548 to
ec450e6
Compare
|
38/43 passed on RHEL - Failed. 38/43 passed on Fedora - Failed. 38/43 passed on CentOS - Failed. |
ec450e6 to
b4cf00f
Compare
|
let's wait for CI now that Travis's green here |
|
Needs rebase :/ |
|
rebasing.......... |
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
b4cf00f to
a35727c
Compare
|
38/40 passed on RHEL - Failed. 38/40 passed on Fedora - Failed. 38/40 passed on CentOS - Failed. |
|
mmmm looking at tests failures. in CI (weird actually) |
|
can't see how CI failed and Travis did not, maybe it was an old run of this PR |
|
yeah, could have been an old run. Can you check if a new run is scheduled? |
|
there are 6+ builds in the queue and can't check parameters of those 😕 |
|
81/81 passed on RHEL - Passed. 81/81 passed on Fedora - Passed. 81/81 passed on CentOS - Passed. |
|
Alright CI finally came back @mrunalp |
|
LGTM |
|
...adding some integration tests also |
Signed-off-by: Antonio Murdaca runcom@redhat.com