Skip to content

Bug 1840343: pkg/verify: Parallelize HTTP(S) signature retrieval #393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 2 commits into from
Jun 29, 2020
Merged

Bug 1840343: pkg/verify: Parallelize HTTP(S) signature retrieval #393

openshift-merge-robot merged 2 commits into from
Jun 29, 2020

Conversation

@wking
Copy link
Member

@wking wking commented Jun 24, 2020

Builds on top of #294. You can review that one first if you like, or review both commits in this PR (and GitHub will mark #294 merged if this one lands first, because it will pull #294's tip into the target master branch). With #294, the change we need to make to parallelize HTTP(S) retrieval is pretty small. I'm just adding a parallel store implementation and using that instead of the serial wrapper for HTTP(S) retrieval.

@openshift-ci-robot openshift-ci-robot added the bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. label Jun 24, 2020
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jun 24, 2020

@wking: This pull request references Bugzilla bug 1840343, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.6.0) matches configured target release for branch (4.6.0)
  • bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
Details

In response to this:

Bug 1840343: pkg/verify: Parallelize HTTP(S) signature retrieval

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Jun 24, 2020
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 24, 2020
jottofar
jottofar reviewed Jun 25, 2020
View reviewed changes
jottofar
jottofar reviewed Jun 25, 2020
View reviewed changes
jottofar
jottofar reviewed Jun 25, 2020
View reviewed changes
jottofar
jottofar reviewed Jun 25, 2020
View reviewed changes
jottofar
jottofar reviewed Jun 25, 2020
View reviewed changes
jottofar
jottofar reviewed Jun 25, 2020
View reviewed changes
wking added 2 commits June 25, 2020 20:17
@wking
pkg/verify: Refactor signature fetching only use a Store interface
6044c9c 
This consolidates around abstract signature retrieval, removing the
split between stores and locations which we grew in 9bbf366
(verify: Refactor the verify package to have common code, 2019-12-09, openshift#279).
This will make it easier to make future changes like parallel HTTP(S)
signature retrieval retrieval [1].

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1840343
@wking
pkg/verify: Parallelize HTTP(S) signature retrieval
a068ee3 
Fixing [1,2]:

  $ grep 'unable to load signature' cvo.log
  I0526 13:13:36.123153       1 verify.go:404] unable to load signature: Get https://storage.googleapis.com/openshift-release/official/signatures/openshift/release/sha256=baa687f29b0ac155d8f4c6914056d36d68f343feb9c1e82b46eef95819d00be5/signature-1: dial tcp 172.217.4.48:443: connect: connection timed out
  I0526 13:15:47.195128       1 verify.go:404] unable to load signature: Get https://storage.googleapis.com/openshift-release/official/signatures/openshift/release/sha256=baa687f29b0ac155d8f4c6914056d36d68f343feb9c1e82b46eef95819d00be5/signature-2: dial tcp 172.217.9.80:443: connect: connection timed out
  I0526 13:17:10.718027       1 verify.go:404] unable to load signature: Get https://storage.googleapis.com/openshift-release/official/signatures/openshift/release/sha256=baa687f29b0ac155d8f4c6914056d36d68f343feb9c1e82b46eef95819d00be5/signature-3: context deadline exceeded
  I0526 13:19:44.764143       1 verify.go:404] unable to load signature: Get https://storage.googleapis.com/openshift-release/official/signatures/openshift/release/sha256=baa687f29b0ac155d8f4c6914056d36d68f343feb9c1e82b46eef95819d00be5/signature-1: dial tcp 172.217.4.48:443: connect: connection timed out
  I0526 13:21:55.835063       1 verify.go:404] unable to load signature: Get https://storage.googleapis.com/openshift-release/official/signatures/openshift/release/sha256=baa687f29b0ac155d8f4c6914056d36d68f343feb9c1e82b46eef95819d00be5/signature-2: dial tcp 172.217.4.48:443: connect: connection timed out
  I0526 13:23:18.233801       1 verify.go:404] unable to load signature: Get https://storage.googleapis.com/openshift-release/official/signatures/openshift/release/sha256=baa687f29b0ac155d8f4c6914056d36d68f343feb9c1e82b46eef95819d00be5/signature-3: context deadline exceeded

In this case, that was because a restricted network blocked access to
storage.googleapis.com, but you'd get similar behavior if
storage.googleapis.com itself was slow.  We want to hit other
signature sources (like our mirrors [3]) before giving up on
signatures entirely, and with this commit one HTTP(S) store no longer
blocks another.

The local ConfigMap store still comes first with a serial store,
because we don't want to involve external stores before we've
exhausted that local-cluster store.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1840343
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1838497#c10
[3]: https://github.com/openshift/cluster-update-keys/blob/cca4ce696383e70ae669e770bd63265a9540b721/manifests.rhel/0000_90_cluster-update-keys_configmap.yaml#L5
@wking wking force-pushed the parallel-http-signature-stores branch from 0aab8dc to a068ee3 Compare June 26, 2020 03:17
@jottofar
Copy link
Contributor

jottofar commented Jun 29, 2020

/lgtm

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jun 29, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jottofar, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jun 29, 2020
@openshift-merge-robot openshift-merge-robot merged commit 692a8a3 into openshift:master Jun 29, 2020
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jun 29, 2020

@wking: All pull requests linked via external trackers have merged: openshift/cluster-version-operator#393. Bugzilla bug 1840343 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1840343: pkg/verify: Parallelize HTTP(S) signature retrieval

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wking wking deleted the parallel-http-signature-stores branch June 29, 2020 18:45
@wking wking mentioned this pull request Jun 29, 2020
Merged
@wking
Copy link
Member Author

wking commented Dec 10, 2020

/cherry-pick release-4.5

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Dec 10, 2020
Merged
@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Dec 10, 2020

@wking: new pull request created: #487

Details

In response to this:

/cherry-pick release-4.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abhinavdahiya abhinavdahiya Awaiting requested review from abhinavdahiya

@sdodson sdodson Awaiting requested review from sdodson

1 more reviewer

@jottofar jottofar jottofar left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@jottofar jottofar

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@wking @openshift-ci-robot @jottofar @openshift-cherrypick-robot @openshift-merge-robot