Take care of manifest config blob

[miminar]

Resolves #10730

Manifest V2 schema 2 introduces a special blob called config which used to be emeedded in earlier schema. See upstream's spec for details. The config is stored as a regular blob on registry's storage. Thus the config needs to be treated similar to a regular layer:

1. the pullthrough middleware needs to be able to fetch it from remote repository
2. we need to increase a size of image for the size of its config
3. the config's digest needs to be cached as a regular layer inside a registry for subsequent lookups
4. image pruning needs to prune it the same way as regular layer

The PR addresses the first 3 items. I'd like to cover the pruning case in a follow-up.

[miminar]

Not verified and untested. I'm working on it. But ready for review (cc @legionus, @soltysh).

[test]

[mfojtik]

@liggitt can you help review this?

[miminar]

The pullthrough part appears to be working now. Verifying a pull of local image of schema 2 tagged to different namespace now.

[miminar]

And the second part (pull of local image of schema 2 tagged to different namespace) seems to be working as well. Writing tests now.

[mfojtik]

you can just use err here

[miminar]

you can just use err here

OK, I'll rename.

[mfojtik]

this need tests (but I think you're already working on them)

[liggitt]

return early in the ok case and unindent the rest of the function?

if store, ok := r.digestToStore[dgst.String()]; ok {
  return store.Get(ctx, desc.Digest)
}

[liggitt]

pullthroughBlobStore instances are per-request, right? just making sure we don't have to worry about locking/races on the digestToStore map, or about long-term growth/retention

[miminar]

return early in the ok case and unindent the rest of the function?

good suggestion, I'll rewrite

[miminar]

pullthroughBlobStore instances are per-request, right?

That's right.

[liggitt]

should we only do this if len(image.DockerImageConfig) > 0?

[miminar]

should we only do this if len(image.DockerImageConfig) > 0?

To make it comply with the other conditions, I'll use this instead. image.DockerImageConfig is filled only for manifest schema 2.

[soltysh]

The changes LGTM, but tests is something I'd like to see before getting this merged.

[miminar]

I've got the e2e tests working finally.

[miminar]

Flake #9624, extended conformance flake:

with readiness probe should not be ready before initial delay and never restart [Conformance]

And

InsufficientInstanceCapacity => We currently do not have sufficient m4.large capacity in the Availability Zone you requested (us-east-1d). Our system will be working on provisioning additional capacity. You can currently get m4.large capacity by not specifying an Availability Zone in your request or choosing us-east-1b, us-east-1c.
+ echo ''\''vagrant up'\'' failed - retrying'

In https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/8662/.

[liggitt]

why is this necessary?

[miminar]

why is this necessary?

Not sure, I was just reluctant to remove the existing guards.

In my local test, this passes in no time:

[INFO] Success running command: 'oc get rc/docker-registry-1 --template "{{ index .metadata.annotations \"openshift.io/deployment.phase\" }}" --config='/tmp/openshift/test-end-to-end//openshift.local.config/master/admin.kubeconfig' | grep Complete' after 23 seconds
[INFO] Waiting for command to finish: 'oc get endpoints/docker-registry -o 'jsonpath={range .subsets[*]}{range .addresses[*]}{.targetRef.name},{end}{end}' --config='/tmp/openshift/test-end-to-end//openshift.local.config/master/admin.kubeconfig' | egrep -q '(^|,)docker-registry-1-6mc18,''...
[INFO] Success running command: 'oc get endpoints/docker-registry -o 'jsonpath={range .subsets[*]}{range .addresses[*]}{.targetRef.name},{end}{end}' --config='/tmp/openshift/test-end-to-end//openshift.local.config/master/admin.kubeconfig' | egrep -q '(^|,)docker-registry-1-6mc18,'' after 0 seconds
[INFO] Waiting for command to finish: 'oc get 'pod/docker-registry-1-6mc18' -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' --config='/tmp/openshift/test-end-to-end//openshift.local.config/master/admin.kubeconfig' | grep -qi true'...
[INFO] Success running command: 'oc get 'pod/docker-registry-1-6mc18' -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' --config='/tmp/openshift/test-end-to-end//openshift.local.config/master/admin.kubeconfig' | grep -qi true' after 0 seconds

[miminar]

@mfojtik, @Kargakis do you think it's safe to remove all the wait_for_command statements except for the first?

[liggitt]

I meant all the additions to wait_for_registry, not just that line

[miminar]

I meant all the additions to wait_for_registry, not just that line

That's because I'm redeploying the registry. Until now, the wait_for_registry expected just rc version 1. Now it needs to deal with multiple versions of rcs, pods, etc.

[mfojtik]

I think it is fine to make sure that we are testing against the latest version of registry (in case the registry is re-deployed).

[miminar]

Here's a log from one of the recent runs:

[INFO] Waiting for command to finish: 'oc get rc/docker-registry-2 --template "{{ index .metadata.annotations \"openshift.io/deployment.phase\" }}" --config='/tmp/openshift/test-end-to-end-docker//openshift.local.config/master/admin.kubeconfig' | grep Complete'...
Complete
[INFO] Success running command: 'oc get rc/docker-registry-2 --template "{{ index .metadata.annotations \"openshift.io/deployment.phase\" }}" --config='/tmp/openshift/test-end-to-end-docker//openshift.local.config/master/admin.kubeconfig' | grep Complete' after 16 seconds
[INFO] Waiting for command to finish: 'oc get endpoints/docker-registry -o 'jsonpath={range .subsets[*]}{range .addresses[*]}{.targetRef.name},{end}{end}' --config='/tmp/openshift/test-end-to-end-docker//openshift.local.config/master/admin.kubeconfig' | egrep -q '(^|,)docker-registry-2-n8o46,''...
[INFO] Success running command: 'oc get endpoints/docker-registry -o 'jsonpath={range .subsets[*]}{range .addresses[*]}{.targetRef.name},{end}{end}' --config='/tmp/openshift/test-end-to-end-docker//openshift.local.config/master/admin.kubeconfig' | egrep -q '(^|,)docker-registry-2-n8o46,'' after 1 seconds
[INFO] Waiting for command to finish: 'oc get pod -l deploymentconfig=docker-registry -o jsonpath='{.items[*].status.conditions[?(@.type=="Ready")].status}' --config='/tmp/openshift/test-end-to-end-docker//openshift.local.config/master/admin.kubeconfig' | grep -qi true'...
[INFO] Success running command: 'oc get pod -l deploymentconfig=docker-registry -o jsonpath='{.items[*].status.conditions[?(@.type=="Ready")].status}' --config='/tmp/openshift/test-end-to-end-docker//openshift.local.config/master/admin.kubeconfig' | grep -qi true' after 0 seconds

The oc get endpoint needed additional 1 second to succeed after the deployment of dc-2 completed which IMHO justifies first two wait statements. I'm still not sure about the third (wait for a pod to become ready). I'd prefer to keep it though.

[miminar]

And, finally, here's a justification for the 3rd wait:

[INFO] Success running command: 'oc get endpoints/docker-registry -o 'jsonpath={range .subsets[*]}{range .addresses[*]}{.targetRef.name},{end}{end}' --config='/tmp/openshift/test-end-to-end-docker//openshift.local.config/master/admin.kubeconfig' | egrep -q '(^|,)docker-registry-1-mwn9s,'' after 0 seconds
[INFO] Waiting for command to finish: 'oc get 'pod/docker-registry-1-mwn9s' -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' --config='/tmp/openshift/test-end-to-end-docker//openshift.local.config/master/admin.kubeconfig' | grep -qi true'...
[INFO] Success running command: 'oc get 'pod/docker-registry-1-mwn9s' -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' --config='/tmp/openshift/test-end-to-end-docker//openshift.local.config/master/admin.kubeconfig' | grep -qi true' after 1 seconds

[liggitt]

Yeah, if we're waiting for the version, the waits make sense, I was referring to all the additions in the helper function

[miminar]

I've simplified a lot the wait function. Kudos to @liggitt for the suggestions.

[openshift-bot]

Evaluated for origin merge up to ebc85ed

[liggitt]

[testextended][extended:core(builds)]

[openshift-bot]

Evaluated for origin testextended up to ebc85ed

[openshift-bot]

continuous-integration/openshift-jenkins/testextended Running (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin_extended/459/) (Extended Tests: core(builds), core(images))

[stevekuznetsov]

Quote expansions

[stevekuznetsov]

Sorry, thats for the line above this

[openshift-bot]

Evaluated for origin test up to ebc85ed

[stevekuznetsov]

Quotes

[stevekuznetsov]

Since e2e was supposed to be a "user process" script... Is that the right place to put all these new tests?

[liggitt]

See comment about a follow up to split these into a registry extended test

[openshift-bot]

continuous-integration/openshift-jenkins/merge FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/8710/)

[liggitt]

Looks like this picked up a spurious --source arg

https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_integration/5787/consoleFull#16372028715762928fe4b031e1b25ced2a

Running test/end-to-end/core.sh:523: executing 'docker tag --source=docker busybox '172.30.169.212:5000/schema2/busybox'' expecting success...
FAILURE after 0.083s: test/end-to-end/core.sh:523: executing 'docker tag --source=docker busybox '172.30.169.212:5000/schema2/busybox'' expecting success: the command returned the wrong error code
There was no output from the command.
Standard error from the command:
flag provided but not defined: --source
See '/usr/bin/docker-current tag --help'.

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/8711/)

[liggitt]

superceded by #10805