Conversation
mike-sul
force-pushed
the
FF-160/download-docker-app
branch
from
304ef30 to
5e091cd
Compare
|
@doanac I enabled clang tidying again by introducing our own testing docker container based on ubuntu.bionic. |
doanac
left a comment
doanac
left a comment
There was a problem hiding this comment.
I've done a first pass. I still need to read a bit more, but this should get things going.
One thing - that would be nice: can we separate the ninja format changes from the actual code changes. Maybe - just merge ninja-format problems now?
| if ! docker image inspect $container 2>/dev/null 1>/dev/null ; then | ||
| echo "Container not found, doing one time docker build" | ||
| docker build -t $container -f ./aktualizr/docker/Dockerfile.debian.testing . | ||
| docker build -t $container -f ./docker/Dockerfile.ubuntu.bionic . |
There was a problem hiding this comment.
should we go ahead and jump to 20.04, or would that risk some incompatibilities with aktualizr?
There was a problem hiding this comment.
let's see what the aktualizr team will do about it if anything, I would stay with whatever they will come up with because if we just switch to something higher we might end-up with some incompatibilities as you stated. I consider it as a temporal solution.
| RUN NOCONFIGURE=1 ./autogen.sh | ||
| RUN ./configure CFLAGS='-Wno-error=missing-prototypes' --with-libarchive --disable-gtk-doc --disable-gtk-doc-html --disable-gtk-doc-pdf --disable-man --with-builtin-grub2-mkconfig --with-curl --without-soup --prefix=/usr | ||
| RUN make VERBOSE=1 -j4 | ||
| RUN make install |
There was a problem hiding this comment.
I've always been curious why ostree is pinned to a specific source revision while the other dependencies are not. You have any insights on that? Just curious.
There was a problem hiding this comment.
It has to do with the hack around testing the ostree based package manager (LD_PRELOAD and those two overridden methods ), the hack doesn't work with any ostree version.
| auto endpoint_pos = registry_conf.auth_creds_endpoint.find(treehub_endpoint); | ||
| if (endpoint_pos != std::string::npos) { | ||
| registry_conf.auth_creds_endpoint.replace(endpoint_pos, registry_creds_endpoint.length(), | ||
| registry_creds_endpoint); |
There was a problem hiding this comment.
I guess the else branch here helps with testing?
There was a problem hiding this comment.
n/m - i see how you handle this below now.
There was a problem hiding this comment.
I am wondering if we should have this config defined. It pins us to hub.foundries.io. However - docker makes this discoverable. eg:
$ curl -v https://hub.foundries.io/v2/msul-dev01/shellhttpd/manifests/latest
...
< HTTP/1.1 401 Unauthorized
...
< Www-Authenticate: Bearer realm="https://hub.foundries.io/token-auth/",service="registry",scope="repository:msul-dev01/shellhttpd:pull"
| if (split_pos == std::string::npos) { | ||
| throw std::invalid_argument("Invalid App URI: '@' not found in " + uri); | ||
| } | ||
|
|
There was a problem hiding this comment.
should we do some assertion that uri starts with hub.foundries.io?
There was a problem hiding this comment.
Can't it be different than hub.foundries.io, e.g. test mocks, tests, on prem deployment. I suppose it can be verified/checked if it's inline with what is defined in the config (registry_base_url).
There was a problem hiding this comment.
this all fits in with my other comment above about just letting docker's api tell us what to authenticate with.
There was a problem hiding this comment.
Maybe I just check if the App URI hostname matches the registry_base_url's hostname here, and check if the registry_base_url is equal to https://hub.foundries.io at the configuration time.
Another option is to get rid off base_url, auth_token_endpoint, repo_base_url configuration variables at all and extracts registry hostname from App URI, although '/token-auth/' and /v2/ has to be hardcoded then. BTW, /token-auth/ is hardcoded in the docker compose download implementation, too.
There was a problem hiding this comment.
I think getting rid of them is fine for now. "v2" can be hard-coded. I guess I did "auth-token" incorrectly in my docker-compose patch. The "Www-Authenticate:" header should tell the client where to go. For docker, I noticed my logic would be broke as the do:
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"...
| return "authorization: basic " + encoded_auth_secret; | ||
| } | ||
|
|
||
| std::string RegistryClient::getBearerAuthHeader(const std::string& repo) const { |
There was a problem hiding this comment.
this might be too painful for now and we should just keep it like this with a TODO. However, docker provides a way to find credentials. In theory, on LmP, you look at /usr/lib/docker/config.json and then $HOME/.docker/config.json for auths and credHelpers. If "auths" you just use the value provided. If "credsHelpers", you call that program and use its stdout.
Maybe we assert hub.foundries.io for now though and because its hub.fio, we know how to handle this w/o using the credsHelper.
There was a problem hiding this comment.
The credHelpers relies on aktaulizr-get. What's the point to go from aktualizr to the docker stuff which in turn comes back to aktualizr if 'we' are aktualizr and go straight to the auth service.
It's not hub.foundries.io, it's https://ota-lite.foundries.io:8443/hub-creds/.
There was a problem hiding this comment.
what i was trying to say here is that: we should really make this generic and not tied to hub.foundries.io. maybe eventually though since its a bit more work. in the case of hub.foundries.io, we could skip looking up the cred helper since we know how to do that.
what's nice about the docker-compose implementation is that it could download the archive from any docker registry with any credentials docker supports.
but since this is tied to hub.foundries.io, I think we can skip the configuration data and just hard-code to hub.foundries.io and raise an error if its not a hub.foundries.io app. In the future we could add logic to support other docker registries.
There was a problem hiding this comment.
I see what you mean. Still, we can change our registry's hostname overtime or deploy additional one with the same way of getting creds to it (via https://ota-lite.foundries.io:8443/hub-creds).
| } | ||
|
|
||
| bool fetch(const std::string &app_uri) { | ||
| bool download(const std::string& app_uri); |
There was a problem hiding this comment.
I'm not against breaking these out. However, it confused my eyes when I first saw this. Maybe you should create a change before this one that breaks out all the methods of ComposeApps to be like this. Then when you do this change it won't look so different from everything else.
There was a problem hiding this comment.
I just moved it (download) to the private methods
Signed-off-by: Mike Sul <[email protected]>
mike-sul
force-pushed
the
FF-160/download-docker-app
branch
from
f89e4fa to
98d3a3c
Compare
|
@doanac I removed the registry's configuration params. I didn't implement the auth request discovery as it requires changing in the aktualizr's HTTP client or developing our own, not sure if it's justifiable at the current moment provided that we don't support other than our Registry. |
|
|
||
| // TODO: restructure composeappmanager.* so it contains just the manager implemenation | ||
| // ComposeApp and Docker::* stuff should be moved into separate source files | ||
|
|
There was a problem hiding this comment.
I agree. I think a docker.cc file for the implementation would be nice. This is only going to grow in complexity.
|
Checked this branch on RPi and QEMU, it looks like it works as expected. |
| docker_prune = val != "0" && val != "false"; | ||
| } | ||
|
|
||
| // Docker Registry Configuration (TODO: to be removed) |
There was a problem hiding this comment.
Can we just remove this stuff and hard-code it in getBasicAuthHeader() where we already have the big TODO's? I'm hoping this will never leak into someone's sota.toml. Or do you need someway to intercept things for unit tests?
There was a problem hiding this comment.
What about the on-premises deployment? In this case, the base URL will be different than 'https://ota-lite.foundries.io:8443'.
There was a problem hiding this comment.
ugh - your right. l guess we should keep the logic that discovers it - lets drop the config value method though.
There was a problem hiding this comment.
What is the config value method?
I guess you mean that we just deduce the auth base url from ostree_server url and append hub-creds to it?
There was a problem hiding this comment.
correct. we deduce from ostree_server
There was a problem hiding this comment.
Removing the ability to configure the auth URL and just deducting it from the ostree/treehub URL is fine.
But, removing this param auth_creds_endpoint and moving the deduction logic in getBasicAuthHeader is not fine. First of all, we need to pass at least one param to RegistryClient anyway (either the treehub URL or already deducted auth URL), secondly if we do deduction in getBasicAuthHeader then we will do it for each request while this URL is static and should be evaluated once at startup.
|
i think this looks pretty good now. Here's how i think we should proceed to merge:
let me know if you need help with 1. |
I opt for a new PR, this one has already too many changes. |
|
I suppose we need to make corresponding changes in lmp-device-register to configure aklite/sota.toml with compose_apps package manager. |
eventually. i think we are a few weeks away from that. we need to first get everyone's personal factories using this (and we can update the we'll also have to update the partner-setup repo to define things using docker-compose rather than .dockerapp |
Why not create a branch and PR right now, so we can test the end-to-end flow as it would happen in real-life starting from bitbaking. |
|
that's fine. |
Signed-off-by: Mike Sul <[email protected]>
Signed-off-by: Mike Sul <[email protected]>
Signed-off-by: Mike Sul <[email protected]>
Signed-off-by: Mike Sul <[email protected]>
Signed-off-by: Mike Sul <[email protected]>
mike-sul
force-pushed
the
FF-160/download-docker-app
branch
from
761dbe8 to
728c0d3
Compare
|
I rebased this branch on foundriesio/aktualizr#38 and removed the commit that introduces customer docker container for testing. |
|
looks good. |
2 participants
No description provided.