Comments (9)
not sure, that header is there for security and content verification - not to hack on it for caching, shouldn't you take care of the whole index/cache system instead of having the library doing this? (I'm not sure how you would do this, just thinking out loud)
@mtrmac wdyt
from image.
not sure, that header is there for security and content verification - not to hack on it for caching
docker/distribution
seems to use in in their tag service [1] to get the descriptor.
shouldn't you take care of the whole index/cache system instead of having the library doing this?
That's an interesting question. In GrootFS we consume containers/image
for the Docker registry interaction and implement the cache (storing the blobs in the filesystem) ourselves. We would be very happy to PR some of the caching behaviour (and thus share the maintenance cost) if you think it's worthy. But that would be more of a long term thing.
[1] https://github.com/docker/distribution/blob/master/registry/client/repository.go#L294
from image.
that header is there for security and content verification - not to hack on it for caching
It is really for caching and discovering random corruption during transfers; nothing prevents the registry from lying in this header, or from returning the expected header value but a non-matching manifest.
I am more concerned about https://github.com/docker/docker/blob/master/distribution/pull_v2.go#L341 :
// NOTE: not using TagService.Get, since it uses HEAD requests
// against the manifests endpoint, which are not supported by
// all registry versions.
though I suppose treating this as an optimization which might fail would work.
More importantly, have you actually measured, or do you have anything to suggest, that using HEAD to look up in the cache would be an improvement? My first-order intuition is that a roundtrip is a roundtrip is a roundtrip, at least with the manifest sizes between a few hundred and a few thousand bytes, so I would expect HEAD
manifest to take about as much time as GET
manifest; and HEAD
+GET
is definitely worse than just GET
.
from image.
// NOTE: not using TagService.Get, since it uses HEAD requests
// against the manifests endpoint, which are not supported by
// all registry versions.
Interesting.
More importantly, have you actually measured, or do you have anything to suggest, that using HEAD to look up in the cache would be an improvement? My first-order intuition is that a roundtrip is a roundtrip is a roundtrip, at least with the manifest sizes between a few hundred and a few thousand bytes, so I would expect HEAD manifest to take about as much time as GET manifest; and HEAD+GET is definitely worse than just GET.
Correct, we do not expect a huge improvement there. We will probably try and investigate how much this would give us before making a PR...
from image.
It is really for caching and discovering random corruption during transfers; nothing prevents the registry from lying in this header, or from returning the expected header value but a non-matching manifest.
but it isn't documented as such https://github.com/docker/distribution/blob/master/docs/spec/api.md#digest-header - I'm not sure either though
from image.
It is really for caching and discovering random corruption during transfers; nothing prevents the registry from lying in this header, or from returning the expected header value but a non-matching manifest.
but it isn't documented as such https://github.com/docker/distribution/blob/master/docs/spec/api.md#digest-header - I'm not sure either though
That says
IMPORTANT: If a digest is used to fetch content, the client should use the same digest used to fetch the content to verify it. The header Docker-Content-Digest should not be trusted over the "local" digest.
from image.
Correct, we do not expect a huge improvement there. We will probably try and investigate how much this would give us before making a PR...
(Philosophically, I am not opposed to exposing this server-side operation if you need it; just because I don’t see the value for our uses doesn’t mean it is useless or shouldn’t be merged. Of course, if it is not something other users of containers/image are likely to use, adding tests for that functionality would help minimize the risk of unintentionally breaking the code.)
from image.
@glestaris @mtrmac @vrothberg What is the state of this issue. It is two years old, can we close it?
from image.
After (almost) three years, we can close it.
from image.
Related Issues (20)
- Support copying nested image indices HOT 1
- Copies don’t set OCI1InstanceAnnotationCompressionZSTD on Zstd:chunked HOT 1
- Allow configuring a registry as http-only HOT 3
- Copy fails with "use of closed network connection" error when using a slow proxy HOT 9
- Use OCI Go constants in the OCI transport
- [doc] fix warning when generating man pages with go-md2man HOT 3
- support for url path's in registries.conf unqualified-search-registries HOT 9
- containers-policy.json: provide default config in /usr/ HOT 6
- Conversion to schema1 does not fail with Zstd layers, making it uncertain we correctly convert to OCI HOT 1
- Copies of originally-compressed images from c/storage to uncompressed destinations don’t trigger MIME type updates HOT 1
- Converting a SIF image should not require fakeroot HOT 4
- Zstd(:chunked) work tracking checklist HOT 2
- Copies with Zstd compression to schema-agnostic transports don’t trigger schema conversion HOT 2
- TemporaryDirectoryForBigFiles() can still ignore $TMPDIR HOT 3
- isManifestUnknownError fails against Harbor registries, breaking sigstore signature upload HOT 15
- Blob reuse decisions do not take into account manifest support HOT 1
- Cannot copy buildkit cache images HOT 2
- Support for structured logging (using `log/slog`) HOT 5
- proposal: Support append images into docker archive HOT 1
- Make a new release HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from image.