-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove the base URI for docker.io images #37913
Conversation
Thanks for your pull request! The title of your pull request does not follow our editorial rules. Could you have a look?
This message is automatically generated by a bot. |
e9df640
to
d84b214
Compare
STRIMZI("quay.io/strimzi-test-container/test-container:latest-kafka-3.2.1"), | ||
KAFKA_NATIVE("quay.io/ogunalp/kafka-native:latest"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't the same apply to other registries as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For quay.io
it is more complicated: the --registry-mirror
option works only with relative image.
But we can had a property to replace this value. But in an other PR,
@cescoffier @holly-cummins @Sanne could you have a look at this one? I remember we added the |
I'd forgotten all about this, but 57332c3 confirms the decision to be explicit about the name was related to Podman, and short names. It was an issue that @Sanne found. #31253 (comment) has more details:
@n1hility was going to check if it was fixed (he thinks it might be), but I can't find the response. A possible workaround is "to pull them by full name before running any tests." I agree that not hardcoding the registry everywhere seems desirable ... this might be something where the podman CI is useful for validating the impact of this PR. (Although it looks like the Podman CI is suffering from another issue and needs some attention anyway.) |
Yes, the registry name was required by podman. I'm finding references about something also required on fedora 35+. Also, aren't all these images customizable by the user? Using the prefix also guarantees the origin of the image (and somewhat avoids having someone publishing a tainted image on a mirror). |
Image are customizable by the user (actual workaround). |
I'm not sure a prefix would help:
|
For me no. Because images without prefix are hosted on
Images hosted on quarkus.devservices.registry.quay.dns=quay.io
quarkus.devservices.registry.gcr.dns=gcr.io |
To do that, we need to parse the image names and replace the DNS (by the way, I'm not sure of the wording here; I would prefer something like The next question is about the scope. Should it be global (like in your proposal) or per image (which is literally what we have today, as you can replace the image)? I like the global approach as it's more in phase with the idea of a mirror. However, as I'm not an expert on image registry mirroring, don't we have the risk of having a mirror containing some images but not others (like if some images are private, the mirror may not have them)? Finally, when the user overrides the image name, should we still apply the hostname? I would say no, but let's make sure we all agree. |
new proposal: quarkus.devservices.registry.quay.host=localhost:5000
quarkus.devservices.registry.gcr.host=gcr.mirror.internal For private images, we already have to override the image property. So I am in tune with you: When we override the image name
And the value use a full path
Then pull the image form this location When we override the image name
And the value not use a full path
Then use the docker/podman configuration to pull the image
(`docker.io` if no mirror is set) So:
The good: this solution don't change the current behaviour) |
Completely agree with this new proposal. |
cool, What do you prefer ? :
|
to me, I prefer the fisrt one |
I would have done everything in this PR, but we can start with docker.io only and then do another PR with the other registries (less critical as it does not have rate limits) |
This feature allow users to use a mirror registry to bypass the docker hub rate limit.
d84b214
to
342f1a2
Compare
ready to merge for me. Issue created for the other registries: #38146 |
Why didn't you implement what we discussed:
|
@ggrebert ping? |
problem of understanding on my part. I thought that for docker.io we remove the host to allow the usage of the native
If I understand correctly what you want, we never use the native configuration for a mirror. We always use a quarkus property to overide a host, even for docker.io which is a default regardless of the engine used |
Yes, I think it's better, as it makes things more homogenous with the other registries. |
OK, thx @cescoffier for clarifying the subject. It can be take time to me due to all the different way the docker images are set in all the extensions and i work on it only on my free time. |
@ggrebert any progress on this one? |
Hello @cescoffier and @gsmet, Sorry, I really haven't had time to work on this as much as I would have hoped However, I still studied @cescoffier solution. I was going to create a helper in ConfigureUtil.java which replaces the host. But we then have to modify all the DevServices in each extension. Note: |
I'm actually not sure of this being a good idea. The registry identifies which image one intends to use, and leaving it undefined opens up to various forms of supply chain attacks. Podman was insisting in doing the right thing by refusing images whose source is unspecified; this is clearly the better behaviour, unfortunately since it breaks stuff intended for Docker in which this level of precision isn't necessary this created friction in migration and the podman team ultimately gave up and changed the default behaviour on Fedora. But the option for the more secure behaviour is available still and I'd recommend to use it, and so do security guides on production systems. We should still support it. So I'd prefer it we could keep the prefixes. Allowing an override would be welcome of course. Regarding rate control limits, shouldn't people use proxies like they are intended to? Proxys can be quite flexible AND secured. |
@Sanne has a point here. Let's keep the prefix and allow overrides in a separate PR. Thanks! |
This feature allow users to use a mirror registry
to bypass the docker hub rate limit.
fix #37912