parsing ref consistently for refCache, including adding docker.io/library prefix#7728
parsing ref consistently for refCache, including adding docker.io/library prefix#7728pacoxu wants to merge 3 commits intocontainerd:mainfrom
docker.io/library prefix#7728Conversation
|
Hi @pacoxu. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
pacoxu
changed the title
pacoxu
changed the title
docker.io/library prefix
|
/cc @pmengelbert /cc @mxpv @dmcgowan |
|
@pacoxu: GitHub didn't allow me to request PR reviews from the following users: pmengelbert. Note that only containerd members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cc @cpuguy83 |
|
Mostly for my own education, can you help me understand why restarting containerd changed the ref in the cache? Is another path of code triggered upon containerd start? |
As I described in #7728 (comment), when we first import it with ctr, ref cache add cache with prefix. Or we can fix it during import only? |
Sorry maybe I am misunderstanding the issue here. According to #7698 and section "II. Manually load an image with --digests=true", the issue seems to be that crictl only removes |
|
I did some tests with some more logs. The first After restarting containerd, the removing is done when runnging |
|
It seems that the local image removing is without BTW,
|
|
So I add another cleanup in |
pacoxu
requested review from
ruiwen-zhao
and removed request for
cpuguy83,
dmcgowan and
mxpv
|
|
||
| if err := l.store.Delete(ctx, req.Name); err != nil { | ||
| return nil, errdefs.ToGRPC(err) | ||
| if strings.HasPrefix(req.Name, "docker.io/library/") { |
There was a problem hiding this comment.
I'm unsure about this change. This service doesn't do any caching. Does it have to worry about the prefix?
There was a problem hiding this comment.
The reason is related to
nerdctl inspectshows no docker.io/library/ prefix.crictl inspectshows docker.io/library/ prefix.ctr i lsshows no docker.io/library/ prefix.
When the user removes an image thought crictl, it adds a prefix for it by default.
- So I have to double-check to delete the image without the prefix here as well.
If docker.io/library/xxx:yyy equals xxx:yyy, this logic change will have no side effect.
There was a problem hiding this comment.
I'm tempted to say: don't strip it (unless this is causing severe issues). Stripping the docker.io/library (and docker.io/) prefixes mostly originates from remaining the UX on docker, which (when there was only 1 registry: the docker index (later "docker hub")), so images had no prefix. ctr probably strips the prefix to have a closer match with docker commands, but for most cases (and APIs), this should probably be considered part of the presentation, not what APIs returns, and make sure the API returns the canonical (full) image reference.
Adding to the above; the docker.io prefix as a whole is causing a lot of headaches (e.g., docker.io is not actually the domain of the registry (which currently is at registry-1.docker.com). We're actively exploring what options we have to get out of this confusing situation (but it's complicated especially to remain backward compatible with existing container runtimes/tools). From that perspective, it'd be good to not introduce more places where special handling is performed (unless there's a strong reason it's needed).
There was a problem hiding this comment.
/cc @ingshtrom (FYI)
(for others: @ingshtrom is one of my colleagues at docker exploring options around this 😅)
There was a problem hiding this comment.
nerdctl inspectshows nodocker.io/library/prefix.crictl inspectshowsdocker.io/library/prefix.ctr i lsshows nodocker.io/library/prefix.
Another way to fix the issue mentioned is to make crictl not adding the prefix. I need to look into the code if this is doable.
There was a problem hiding this comment.
nerdctl is designed to provide a UX that matches docker. It should probably be looked at where that UX should be applied. Containerd in itself is (should be) less opinionated, which may mean: always assume canonical references. Some amount of compatibility is probably OK (which may mean convert to (normalise to) a canonical reference on the way in, and leave it to products on top of containerd to decide on the UX they want to provide (which may be "remove the prefix" when presenting).
We should really be careful not to leak docker's UX into containerd.
There was a problem hiding this comment.
I saved the original change in https://github.com/containerd/containerd/compare/main...pacoxu:image-clean-original?expand=1.
I reverted the docker.io/library trim in services/images/local.go. And I will look into crictl code to see if it can be optimized.
pacoxu
force-pushed
the
image-clean
branch
2 times, most recently
from
baf6ee8 to
a843906
Compare
|
TestContainerPids failed. It seems unrelated. |
| // the image does not exist in containerd. | ||
| func (s *Store) update(ref string, img *Image) error { | ||
| // parsing ref consistently for refCache, including adding `docker.io/library` prefix | ||
| if !strings.HasPrefix(ref, "sha256:") { |
There was a problem hiding this comment.
Note that technically the OCI also allows other digest formats (sha512, sha384, and optionally others);
- https://github.com/opencontainers/image-spec/blob/v1.0.1/descriptor.md#digests
- https://github.com/opencontainers/distribution-spec/blob/f72e5010d8441a94de8b35ebbe505b827d05fee2/spec.md?plain=1#L663
- https://github.com/opencontainers/go-digest/blob/b9e02e015be61903bbee58e3fd349114fa28e0b4/sha.go#L7-L17
So possibly this should check if it's a digested reference
pacoxu
force-pushed
the
image-clean
branch
3 times, most recently
from
089fe40 to
97253bc
Compare
| // the image does not exist in containerd. | ||
| func (s *Store) update(ref string, img *Image) error { | ||
| refName := strings.Split(ref, ":")[0] | ||
| switch refName { |
There was a problem hiding this comment.
Will ref be something like alpine:3.9@sha256:414e0518bb9228d35e4cd5165567fb91d26c6a214e9c95899e1e056fcd349011?
I searched the code a bit and looks like ref here will only be tag or digest or image ID, so we should be fine.
There was a problem hiding this comment.
This can be tag or digest or image ID here if I understand correctly.
|
Thanks Paco! LGTM except for the two minor comments. |
|
/lgtm |
…brary` prefix Signed-off-by: Paco Xu <[email protected]>
Signed-off-by: Paco Xu <[email protected]>
pacoxu
force-pushed
the
image-clean
branch
2 times, most recently
from
542734b to
c99fbfb
Compare
Signed-off-by: Paco Xu <[email protected]>
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
This PR is stale because it has been open 90 days with no activity. This PR will be closed in 7 days unless new comments are made or the stale label is removed. |
|
This PR was closed because it has been stalled for 7 days with no activity. |
7 participants
Fixes #7698
For the refCache below, the ref needs to be consistent.
There is a test case in #7698, I can quickly reproduce it with the second method there.
Before restarting and importing image, the refCahe is using
ref: import-2022-11-28@sha256:c8a01d8610c642f0e6b83af5f6185b3eed34e322354be5a515da1a21453ac966"and crictl cannot remove it correctly.After restarting containerd, the cache became
ref: docker.io/library/import-2022-11-28@sha256:c8a01d8610c642f0e6b83af5f6185b3eed34e322354be5a515da1a21453ac966"and crictl can remove it correctly.I add another cleanup in
services/images/local.gowithoutdocker.io/library/prefix.docker.io/libraryprefix #7728 (comment)