Provide layers referenced by an image stream as layers subresource

[smarterclayton]

Adds a new GET endpoint to an image stream as a subresource layers that
returns an array of every layer referenced by the image stream and the tags
and images included by the image.

The subresource is fed by a store driven informer that caches and indexes
only the layers. Clients get a 500 retry error if the cache has not
initialized yet (the client will silently retry).

Turns the registry access check for a given layer into an O(1) check
instead of O(N) where N is the number of images in the image stream.

This is not a general purpose layer cache, but lays the foundation for it.

Depends on openshift/api#56

Detected by https://bugzilla.redhat.com/show_bug.cgi?id=1589994

@bparees

[sttts]

why not generated this?

[smarterclayton]

Probably could, although I'm hesitant to involve the stack there.

[sttts]

looks like we are forcing ImageLayers to be an runtime.Object. At the very least this neads a very good reason documented as a comment above.

[mfojtik]

@smarterclayton why not making this an actual API object?

[smarterclayton]

This is a minimal cache. Cache doesn't actually need runtime object except there are bugs in cache. I'm going to correct those, which is why there is a comment. Informers are supposed to depend on list-watch (which requires resource version) but the cache key is arbitrary.

[mfojtik]

@smarterclayton for UPSTREAM: openshift/api: Add an image layers API aren't you supposed to bump the external repo (openshift/api) first and then just run ./hack/update-deps ? /cc @deads2k

[smarterclayton]

It’s not ready to merge On Jun 12, 2018, at 7:38 AM, Michal Fojtik <notifications@github.com> wrote: @smarterclayton <https://github.com/smarterclayton> for UPSTREAM: openshift/api: Add an image layers API aren't you supposed to bump the external repo (openshift/api) first and then just run ./hack/update-deps ? /cc @deads2k <https://github.com/deads2k> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#19969 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p-bJzcLmLVc3FHzilxjqCtU98PaPks5t76gugaJpZM4UjqsE> .

[dmage]

The function name is misleading. And the return value too.

For v2 manifests DockerImageMetadata.ID contains a digest of the image configuration. It differs from a manifest.

The MediaType for this blob is a though question, but it definitely shouldn't be DockerImageManifestMediaType.

[dmage]

As LayerSize is not filled here, it shouldn't be used anywhere.

[smarterclayton]

I’ll probably say we just mark layer size as optional in the api. It’s not fundamental for this call (although I would prefer it be correct). Is there a reason we didn’t record it on the image object? Or did we just lose that info when we moved back to storing this in the registry? We have it when we post a new image to the registry, correct?

You’re right that this should be the configuration mimetype.

[smarterclayton]

Probably can make LayerSize a pointer and have it be nil if unknown.

[smarterclayton]

Updated to make layer size be a pointer and nil if unknown.

[legionus]

These layers have different order in different images. ImageAPI reorder them and add imageapi.DockerImageLayersOrderAnnotation, but this code drop this infomation. After that, these layers are copied as is, but without an annotation indicating the order.

Also there is no imageapi.ManagedByOpenShiftAnnotation for image. Therefore, then the registry does not have the ability to understand this.

[smarterclayton]

I’ll reorder them before returning.

With regards to pullthrough off, I think we probably should drop support for disabling it. We will depend on it for secured images (when registry access for redhat is made protected), and local resolution depends on it. Is there a good use case for continuing to support it?

[legionus]

Is there a good use case for continuing to support it?

You tell me :) We always had the option to turn on/off pullthrough. Because of this, the registry's code is more complex than it could be because we always need to remember the type of the image and sometimes pretend that we do not know about it.

If you think that we can drop it, then let's do it. Please open an issue to remove it.

But right now without imageapi.ManagedByOpenShiftAnnotation pullthrough will be broken.

[legionus]

Unfortunately, we can not completely remove imageapi.ManagedByOpenShiftAnnotation.

[smarterclayton]

Let me chat with Ben - if we think we're dependent on pull through now for protected image access, then I think it's time to remove the support for pull through false. Will respond back today.

Do we need the annotation for anything else specific to the use of this call (in the place where we check whether an image stream has "access" to a layer)?

A long time ago we talked about changing the meaning of the annotation (or replacing it with a new annotation) which was:

The person who imported this image metadata has proven they have access to each of the layers in the image they imported.

A background controller (the mirror controller) would not set the annotation until it had either pulled all layers from the source (in the background) or otherwise verified the source had those layers (check that the source can serve the contents). Before the annotation was set, only pull through would work, and users would be blocked from tagging the image into another image stream. Once the annotation was set, the image was now effectively managed (we've imported the image and the metadata). The downside of this is that it forces mirroring which can be expensive (today mirroring is mostly controlled by whether you set ReferencePolicy in practice).

[bparees]

Let me chat with Ben - if we think we're dependent on pull through now for protected image access, then I think it's time to remove the support for pull through false.

OCP will be, Origin won't be. Perhaps that's sufficient though.

(Technically someone could also setup an OCP cluster that got protected images from elsewhere like an internal mirror, so it is possible to run an OCP cluster w/o pullthrough, also).

But i'm certainly a fan of simplifying.

[smarterclayton]

I think we closed on this, right? Dropping pullthrough: false support?

[bparees]

yeah, being removed here: openshift/image-registry#103

i think it's currently stuck on that test that needs the docker socket for which i have a PR open to mark as local.

[smarterclayton]

/test launch-gcp

[smarterclayton]

/test launch-gcp

[smarterclayton]

/test launch-gcp

[smarterclayton]

e2e test should be passing, initial comments addressed. Will be updating the registry PR soon.

[liggitt]

this is the sha of the manifest ("name of the blob containing the image manifest"), not the blob itself, right?

[smarterclayton]

The manifest is a blob, and the digest / name for both is the same (the SHA of the contents)

[liggitt]

is it valid to have zero layers and no manifest?

[liggitt]

talked offline: yes, this could be a scratch image with inline manifest

[liggitt]

is this always known?

[smarterclayton]

Yes, we always know what this value is in the Image object as part of that API (since 3.5 or 3.6)

[liggitt]

Any other API comments? Updating that PR and will put the label on it otherwise

a couple questions, no other concerns from me

[bparees]

seems like there are some un-addressed comments in this PR also.

[bparees]

godoc is wrong

[smarterclayton]

The upstreams are only for testing, they'll be pulled in via a bump.

[bparees]

i didn't look closely to see if you pulled this in from upstream. as long as it's correct upstream, then, i guess.

[bparees]

wait for builder service account in a beforeeach

[smarterclayton]

don't builds wait for builder service account?

[smarterclayton]

I don't try to access anything before builder service account is available.

[bparees]

don't builds wait for builder service account?

well, I should have said "wait for the builder service account's secrets". (the waitforserviceaccount helper does both)

if the SA exists but the secrets don't, the build will fail (because it can't pull the base image or push the app image) We do have some logic in the build controller now that waits for build secrets in certain cases:

https://github.com/openshift/origin/blob/master/pkg/build/controller/build/build_controller.go#L525-L543

given that i'm actually not sure why we saw some of the pull issues we saw earlier, unless those were only happening on deployments, not builds.

[smarterclayton]

Updated on top of an API bump (i think i finally fixed glide to not be horribad)

[deads2k]

Updated on top of an API bump (i think i finally fixed glide to not be horribad)

Any other changes? I made it through my review before and it lgtm

[smarterclayton]

Nothing new. Ben's comments were resolved

[smarterclayton]

/retest

[deads2k]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [deads2k,smarterclayton]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[smarterclayton]

/retest

[danwinship]

/retest

[smarterclayton]

/retest

[danwinship]

/retest

[smarterclayton]

/retest

[openshift-ci-robot]

@smarterclayton: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/gcp	e9536dd	link	/test gcp
ci/openshift-jenkins/extended_image_ecosystem	aac71d5	link	/test extended_image_ecosystem

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.