registry: some optimizations to reduce network connections and DNS lookups if not needed#49050
Merged
thaJeztah merged 4 commits intomoby:masterfrom Dec 10, 2024
Merged
Conversation
thaJeztah
added
area/distribution
thaJeztah
commented
Dec 8, 2024
| for _, mirror := range s.config.Mirrors { | ||
| if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") { | ||
| mirror = "https://" + mirror | ||
| if includeMirrors { |
Member
Author
There was a problem hiding this comment.
This diff is best reviewed with whitespaces ignored; use ?w=1 for the diff view; https://github.com/moby/moby/pull/49050/files?w=1
thaJeztah
changed the title
thaJeztah
changed the title
thaJeztah
force-pushed
the
registry_cleanups
branch
2 times, most recently
from
182cf8b to
aaee597
Compare
robmry
approved these changes
Dec 10, 2024
Contributor
robmry
left a comment
robmry
left a comment
There was a problem hiding this comment.
LGTM apart from the old comment.
Comment on lines
71
to
+74
| // Lookup endpoints for authentication using "LookupPushEndpoints", which | ||
| // excludes mirrors to prevent sending credentials of the upstream registry | ||
| // to a mirror. | ||
| endpoints, err := s.LookupPushEndpoints(registryHostName) | ||
| s.mu.RLock() | ||
| endpoints, err := s.lookupV2Endpoints(registryHostName, false) |
Contributor
There was a problem hiding this comment.
The comment needs a matching update.
Member
Author
There was a problem hiding this comment.
Oh! Good catch; I initially kept it to use the "push endpoints", but then thought it may be clearer to remove that extra indirect and make it match the "except for mirrors" part.
…equest Reverse the order in which we call v2AuthHTTPClient and http.NewRequest. This is mostly theoretical, but v2AuthHTTPClient makes a network connection to ping the registry, but loginV2 may fail after this if http.NewRequest fails. Put the (lightweight) http.NewRequest first, so that we can return early before trying to contact the registry. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Also rename a variable that shadowed a package type. Signed-off-by: Sebastiaan van Stijn <[email protected]>
This function unconditionally constructed endpoints for mirrors when requesting endpoints for the default (Docker Hub) registry. Doing so involves validating the config, which involves; - parsing the hostname - constructing TLS config - performing a DNS lookup to resolve the host's IP address and matching it against CIDR masks for insecure registries. When looking up push endpoints or endpoints to consider for authentication, mirror endpoints were discarded to prevent sending credentials of the upstream registry to a mirror. This patch adds a "includeMirrors" argument to skip constructing endpoints for mirrors when not needed. While at it, also removing named output variables, as they didn't add much. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Slight refactor to use strings.Cut, which doesn't do allocations Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
registry_cleanups
branch
from
aaee597 to
be9e39b
Compare
Member
Author
|
All green; let me bring this one in 👍 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
registry: loginV2: don't contact registry when failing to construct request
Reverse the order in which we call v2AuthHTTPClient and http.NewRequest.
This is mostly theoretical, but v2AuthHTTPClient makes a network connection
to ping the registry, but loginV2 may fail after this if http.NewRequest
fails. Put the (lightweight) http.NewRequest first, so that we can return
early before trying to contact the registry.
registry: loginV2: move variables closer to where they're used
Also rename a variable that shadowed a package type.
registry: Service.lookupV2Endpoints: add arg to skip mirrors
This function unconditionally constructed endpoints for mirrors when
requesting endpoints for the default (Docker Hub) registry. Doing so
involves validating the config, which involves;
it against CIDR masks for insecure registries.
When looking up push endpoints or endpoints to consider for authentication,
mirror endpoints were discarded to prevent sending credentials of the upstream
registry to a mirror.
This patch adds a "includeMirrors" argument to skip constructing endpoints
for mirrors when not needed.
registry: ConvertToHostname: use strings.Cut to reduce allocations
Slight refactor to use strings.Cut, which doesn't do allocations
- A picture of a cute animal (not mandatory but encouraged)