Enable to apply registry configuration to stargz snapshotter#1733
Conversation
|
Ready for review. Currently, lazypull-related integration tests depend on containerd worker. |
|
@tonistiigi @AkihiroSuda PTAL 😄 |
ktock
force-pushed
the
reghost
branch
2 times, most recently
from
3e50166 to
bfc1628
Compare
|
needs rebase |
|
rebased. |
|
The session handling in here does not look ok to me. We can't keep the session ID as ref properties. It needs to come from the caller invoking the call as sessions can drop and switch anytime. I've also started some refactoring around the lazy pull to fix some issues related to this but wip, https://github.com/tonistiigi/buildkit/pull/new/session-remote |
|
@tonistiigi Thanks for the comment and the refactoring patch! Based on your lazypull & session refactoring patch, this PR can be modified not to contain session IDs as ref properties in Instead, session IDs passed through |
ktock
force-pushed
the
reghost
branch
2 times, most recently
from
d54eb45 to
fc91fd9
Compare
|
@tonistiigi @AkihiroSuda |
ktock
force-pushed
the
reghost
branch
2 times, most recently
from
202df21 to
39ff855
Compare
|
Sorry, this got stuck. @ktock needs rebase @AkihiroSuda for re-review |
|
Thanks for resuming this. Rebased. |
| dh := dhs[desc.Digest] | ||
| if dh == nil { | ||
| return false, nil | ||
| continue // no info psased; skip |
| snapshotID := getSnapshotID(sr.md) | ||
| if _, err := sr.cm.Snapshotter.Stat(ctx, snapshotID); err == nil { | ||
| return true, nil | ||
| func (sr *immutableRef) withRemoteSnapshotLabels(ctx context.Context, s session.Group, f func()) error { |
There was a problem hiding this comment.
If this function is only called for stargz then please add it to the name. Same for the next one. Otherwise, they look expensive to be called by other code paths. Maybe even move stargz specific functions to separate file (this can be done as follow up if there is more code than these functions.
There was a problem hiding this comment.
Added the prefix StargzMode to each function name.
|
https://github.com/moby/buildkit/pull/1733/checks?check_run_id=1774129959 |
|
All green except |
|
@ktock Not sure why this got stuck. Can you rebase just in case to let the test run in the new merge base. |
|
Rebased and bumped stargz snapshotter to the latest (v0.6.4). |
|
@ktock Another rebase required 😅 |
Signed-off-by: ktock <ktokunaga.mail@gmail.com>
3 participants
Following-up: #1760
Related: containerd/stargz-snapshotter#149
Currently, stargz snapshotter + OCI worker can't do
~/.docker/config.json-based authentication because the registry configurationresolver.DefaultPool.GetResolver().hostsFunc()(including session-based authorizer*resolver.dockerAuthorizer) isn't passed to that snapshotter. This patch addresses this issue.A remote snapshot is possibly used by multiple builds. And that snapshot's labels (including image refs, session IDs for fetching creds, etc.) for fetching that content possibly differ on each of these builds. So this commit allows these builds to append snapshot labels to that remote snapshot, every time they use that snapshots.
In this patch, on each time a remote snapshot is used, corresponding labels (containing image refs, session IDs etc.) are appended to that snapshot temporarily (so they are removed after that use). Here, these labels' keys are suffixed with unique IDs for avoiding collision among simultaneous uses of that snapshot. When the connection of that remote snapshot needs to be resolved (or refreshed), all labels appended to that snapshot at that moment are parsed and this source-related information (including session-based authorizer) is passed to the snapshotter (this is done in (cmd/buildkitd).sourceWithSession()). Then the snapshotter resolves/refreshes that snapshot's connection using that information.
*immutableRef.withRemoteSnapshotLabels()is a function wrapper for appending remote labels to snapshots temporarily. This takes afunc()and ensure that:func(), remote snapshot labels contained in*immutableRef.descHandlersare appended to all remote snapshots chained in that*immutableRef.func(), these labels are removed.Here, no label will be appended to non-remote snapshots.
In this patch, functions that invoke snapshotter's
Prepare/View/MountsAPI are wrapped with*immutableRef.withRemoteSnapshotLabels().The above integration is only available for oci worker. When we use containerd worker + stargz snapshotter, the registry logic is still separated.