You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Chun-Hung Hsiao <ch...@mesosphere.io> on 2017/05/01 19:24:56 UTC
Review Request 58778: Supported GCE container registry.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/
-----------------------------------------------------------
Review request for mesos, Gilbert Song and Jie Yu.
Bugs: MESOS-7431
https://issues.apache.org/jira/browse/MESOS-7431
Repository: mesos
Description
-------
Certain registries, such as GCE registry, reply 403 instead of 401 for
unauthorized requests. When fetching image manifests and blobs, instead
of sending out unauthorized requests first and waiting for a possible
401, we should always look up the docker config and send requests with
basic authorization when possible.
Diffs
-----
src/uri/fetchers/docker.cpp 44169bf5f22f0ffd9fad7bb3b8f7d2a4989c6415
Diff: https://reviews.apache.org/r/58778/diff/1/
Testing
-------
sudo make check (covers all supported public registries)
Manually tested on the following private registries:
1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
2. Amazon ECR
3. Google GCR
Thanks,
Chun-Hung Hsiao
Re: Review Request 58778: Supported GCE container registry.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/#review173524
-----------------------------------------------------------
Patch looks great!
Reviews applied: [58753, 58725, 58778]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On May 1, 2017, 7:24 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58778/
> -----------------------------------------------------------
>
> (Updated May 1, 2017, 7:24 p.m.)
>
>
> Review request for mesos, Gilbert Song and Jie Yu.
>
>
> Bugs: MESOS-7431
> https://issues.apache.org/jira/browse/MESOS-7431
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Certain registries, such as GCE registry, reply 403 instead of 401 for
> unauthorized requests. When fetching image manifests and blobs, instead
> of sending out unauthorized requests first and waiting for a possible
> 401, we should always look up the docker config and send requests with
> basic authorization when possible.
>
>
> Diffs
> -----
>
> src/uri/fetchers/docker.cpp 44169bf5f22f0ffd9fad7bb3b8f7d2a4989c6415
>
>
> Diff: https://reviews.apache.org/r/58778/diff/1/
>
>
> Testing
> -------
>
> sudo make check (covers all supported public registries)
> Manually tested on the following private registries:
> 1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
> 2. Amazon ECR
> 3. Google GCR
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58778: Supported GCE container registry.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/#review175018
-----------------------------------------------------------
Patch looks great!
Reviews applied: [58778]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On May 15, 2017, 5:39 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58778/
> -----------------------------------------------------------
>
> (Updated May 15, 2017, 5:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
>
>
> Bugs: MESOS-7431
> https://issues.apache.org/jira/browse/MESOS-7431
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Certain registries, such as GCE registry, reply 403 instead of 401 for
> unauthorized requests. When fetching image manifests and blobs, instead
> of sending out unauthorized requests first and waiting for a possible
> 401, we should always look up the docker config and send requests with
> basic authorization when possible.
>
>
> Diffs
> -----
>
> src/uri/fetchers/docker.cpp dbfc1b2f2918ccaf90fa31496a0792f585489397
>
>
> Diff: https://reviews.apache.org/r/58778/diff/4/
>
>
> Testing
> -------
>
> sudo make check (covers all supported public registries)
> Manually tested on the following private registries:
> 1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
> 2. Amazon ECR
> 3. Google GCR
> 4. JFrog SaaS
> 5. Local Nexus registry 3.3.1
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58778: Supported GCE container registry.
Posted by Jie Yu <yu...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/#review175043
-----------------------------------------------------------
Fix it, then Ship it!
src/uri/fetchers/docker.cpp
Lines 449 (patched)
<https://reviews.apache.org/r/58778/#comment248360>
We have getAuthHeaderBasic and now we have getBasicAuthHeader. This is really confusing.
Let's use the same name `getAuthHeaderBasic` here (just different overload).
src/uri/fetchers/docker.cpp
Lines 693 (patched)
<https://reviews.apache.org/r/58778/#comment248361>
This is pretty confusing. Can we rename this parameter `basicAuthHeaders`?
- Jie Yu
On May 15, 2017, 5:39 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58778/
> -----------------------------------------------------------
>
> (Updated May 15, 2017, 5:39 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
>
>
> Bugs: MESOS-7431
> https://issues.apache.org/jira/browse/MESOS-7431
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Certain registries, such as GCE registry, reply 403 instead of 401 for
> unauthorized requests. When fetching image manifests and blobs, instead
> of sending out unauthorized requests first and waiting for a possible
> 401, we should always look up the docker config and send requests with
> basic authorization when possible.
>
>
> Diffs
> -----
>
> src/uri/fetchers/docker.cpp dbfc1b2f2918ccaf90fa31496a0792f585489397
>
>
> Diff: https://reviews.apache.org/r/58778/diff/4/
>
>
> Testing
> -------
>
> sudo make check (covers all supported public registries)
> Manually tested on the following private registries:
> 1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
> 2. Amazon ECR
> 3. Google GCR
> 4. JFrog SaaS
> 5. Local Nexus registry 3.3.1
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58778: Supported GCE container registry.
Posted by Gilbert Song <so...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/#review175060
-----------------------------------------------------------
src/uri/fetchers/docker.cpp
Line 660 (original), 715 (patched)
<https://reviews.apache.org/r/58778/#comment248407>
I like the `__fetchBlob()` change. More readable in code.
- Gilbert Song
On May 15, 2017, 5:50 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58778/
> -----------------------------------------------------------
>
> (Updated May 15, 2017, 5:50 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
>
>
> Bugs: MESOS-7431
> https://issues.apache.org/jira/browse/MESOS-7431
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Certain registries, such as GCE registry, reply 403 instead of 401 for
> unauthorized requests. When fetching image manifests and blobs, instead
> of sending out unauthorized requests first and waiting for a possible
> 401, we should always look up the docker config and send requests with
> basic authorization when possible.
>
>
> Diffs
> -----
>
> src/uri/fetchers/docker.cpp dbfc1b2f2918ccaf90fa31496a0792f585489397
>
>
> Diff: https://reviews.apache.org/r/58778/diff/6/
>
>
> Testing
> -------
>
> sudo make check (covers all supported public registries)
> Manually tested on the following private registries:
> 1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
> 2. Amazon ECR
> 3. Google GCR
> 4. JFrog SaaS
> 5. Local Nexus registry 3.3.1
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58778: Supported GCE container registry.
Posted by Gilbert Song <so...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/#review175061
-----------------------------------------------------------
Ship it!
LGTM! Ship it!
- Gilbert Song
On May 15, 2017, 5:50 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58778/
> -----------------------------------------------------------
>
> (Updated May 15, 2017, 5:50 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
>
>
> Bugs: MESOS-7431
> https://issues.apache.org/jira/browse/MESOS-7431
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Certain registries, such as GCE registry, reply 403 instead of 401 for
> unauthorized requests. When fetching image manifests and blobs, instead
> of sending out unauthorized requests first and waiting for a possible
> 401, we should always look up the docker config and send requests with
> basic authorization when possible.
>
>
> Diffs
> -----
>
> src/uri/fetchers/docker.cpp dbfc1b2f2918ccaf90fa31496a0792f585489397
>
>
> Diff: https://reviews.apache.org/r/58778/diff/6/
>
>
> Testing
> -------
>
> sudo make check (covers all supported public registries)
> Manually tested on the following private registries:
> 1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
> 2. Amazon ECR
> 3. Google GCR
> 4. JFrog SaaS
> 5. Local Nexus registry 3.3.1
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58778: Supported GCE container registry.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/
-----------------------------------------------------------
(Updated May 16, 2017, 12:50 a.m.)
Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
Changes
-------
Addressed Jie's comments.
Bugs: MESOS-7431
https://issues.apache.org/jira/browse/MESOS-7431
Repository: mesos
Description
-------
Certain registries, such as GCE registry, reply 403 instead of 401 for
unauthorized requests. When fetching image manifests and blobs, instead
of sending out unauthorized requests first and waiting for a possible
401, we should always look up the docker config and send requests with
basic authorization when possible.
Diffs (updated)
-----
src/uri/fetchers/docker.cpp dbfc1b2f2918ccaf90fa31496a0792f585489397
Diff: https://reviews.apache.org/r/58778/diff/5/
Changes: https://reviews.apache.org/r/58778/diff/4-5/
Testing
-------
sudo make check (covers all supported public registries)
Manually tested on the following private registries:
1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
2. Amazon ECR
3. Google GCR
4. JFrog SaaS
5. Local Nexus registry 3.3.1
Thanks,
Chun-Hung Hsiao
Re: Review Request 58778: Supported GCE container registry.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/
-----------------------------------------------------------
(Updated May 15, 2017, 5:39 p.m.)
Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
Changes
-------
Addressed Gilbert's comments.
Bugs: MESOS-7431
https://issues.apache.org/jira/browse/MESOS-7431
Repository: mesos
Description
-------
Certain registries, such as GCE registry, reply 403 instead of 401 for
unauthorized requests. When fetching image manifests and blobs, instead
of sending out unauthorized requests first and waiting for a possible
401, we should always look up the docker config and send requests with
basic authorization when possible.
Diffs (updated)
-----
src/uri/fetchers/docker.cpp dbfc1b2f2918ccaf90fa31496a0792f585489397
Diff: https://reviews.apache.org/r/58778/diff/4/
Changes: https://reviews.apache.org/r/58778/diff/3-4/
Testing
-------
sudo make check (covers all supported public registries)
Manually tested on the following private registries:
1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
2. Amazon ECR
3. Google GCR
4. JFrog SaaS
5. Local Nexus registry 3.3.1
Thanks,
Chun-Hung Hsiao
Re: Review Request 58778: Supported GCE container registry.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/#review174890
-----------------------------------------------------------
Patch looks great!
Reviews applied: [58778]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On May 13, 2017, 12:45 a.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58778/
> -----------------------------------------------------------
>
> (Updated May 13, 2017, 12:45 a.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
>
>
> Bugs: MESOS-7431
> https://issues.apache.org/jira/browse/MESOS-7431
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Certain registries, such as GCE registry, reply 403 instead of 401 for
> unauthorized requests. When fetching image manifests and blobs, instead
> of sending out unauthorized requests first and waiting for a possible
> 401, we should always look up the docker config and send requests with
> basic authorization when possible.
>
>
> Diffs
> -----
>
> src/uri/fetchers/docker.cpp dbfc1b2f2918ccaf90fa31496a0792f585489397
>
>
> Diff: https://reviews.apache.org/r/58778/diff/3/
>
>
> Testing
> -------
>
> sudo make check (covers all supported public registries)
> Manually tested on the following private registries:
> 1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
> 2. Amazon ECR
> 3. Google GCR
> 4. JFrog SaaS
> 5. Local Nexus registry 3.3.1
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58778: Supported GCE container registry.
Posted by Gilbert Song <so...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/#review174975
-----------------------------------------------------------
This patch looks good. Need to take aother look at the `fetchBlob()` logic once I wake up. Will make another pass. Thanks!
src/uri/fetchers/docker.cpp
Lines 653 (patched)
<https://reviews.apache.org/r/58778/#comment248275>
s/furute/futrue/g
src/uri/fetchers/docker.cpp
Lines 748 (patched)
<https://reviews.apache.org/r/58778/#comment248284>
Seems like a pre-request of calling `getAuthHeader()` is calling `getAuthHeaderBasic()` first. I am fine with this change (a hard dependency), but should we rename this variable (as well as the one in `_fetch()` to be `basicAuthHeaders`?
It might be less confusing since we have another `getAuthHeaders()` helper.
- Gilbert Song
On May 12, 2017, 5:45 p.m., Chun-Hung Hsiao wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58778/
> -----------------------------------------------------------
>
> (Updated May 12, 2017, 5:45 p.m.)
>
>
> Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
>
>
> Bugs: MESOS-7431
> https://issues.apache.org/jira/browse/MESOS-7431
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Certain registries, such as GCE registry, reply 403 instead of 401 for
> unauthorized requests. When fetching image manifests and blobs, instead
> of sending out unauthorized requests first and waiting for a possible
> 401, we should always look up the docker config and send requests with
> basic authorization when possible.
>
>
> Diffs
> -----
>
> src/uri/fetchers/docker.cpp dbfc1b2f2918ccaf90fa31496a0792f585489397
>
>
> Diff: https://reviews.apache.org/r/58778/diff/3/
>
>
> Testing
> -------
>
> sudo make check (covers all supported public registries)
> Manually tested on the following private registries:
> 1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
> 2. Amazon ECR
> 3. Google GCR
> 4. JFrog SaaS
> 5. Local Nexus registry 3.3.1
>
>
> Thanks,
>
> Chun-Hung Hsiao
>
>
Re: Review Request 58778: Supported GCE container registry.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/
-----------------------------------------------------------
(Updated May 13, 2017, 12:45 a.m.)
Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
Changes
-------
Updated the logic so it is easier to support image secrets. In the future, we would like to do the following things:
1. Support image secrets: `fetch()` would receive one more `data` argument for secret credentials, and it would merge the default docker config and the secret credentials and pass the combined `auths` into `getAuthHeaderBasic()`.
2. Currently the `Basic` credential is constructed in `fetch()` and thus if the token is expired when downloading the blobs there's no way to get the `Basic` cerdential again. I'd like to refactor this part so the `Basic` credential could be integrated into the `userinfo` field in the new `URI` standard to avoid this problem, and the whole docker config should be processed in the docker registry puller instead of the fetcher plugin.
Bugs: MESOS-7431
https://issues.apache.org/jira/browse/MESOS-7431
Repository: mesos
Description
-------
Certain registries, such as GCE registry, reply 403 instead of 401 for
unauthorized requests. When fetching image manifests and blobs, instead
of sending out unauthorized requests first and waiting for a possible
401, we should always look up the docker config and send requests with
basic authorization when possible.
Diffs (updated)
-----
src/uri/fetchers/docker.cpp dbfc1b2f2918ccaf90fa31496a0792f585489397
Diff: https://reviews.apache.org/r/58778/diff/2/
Changes: https://reviews.apache.org/r/58778/diff/1-2/
Testing
-------
sudo make check (covers all supported public registries)
Manually tested on the following private registries:
1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
2. Amazon ECR
3. Google GCR
4. JFrog SaaS
5. Local Nexus registry 3.3.1
Thanks,
Chun-Hung Hsiao
Re: Review Request 58778: Supported GCE container registry.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/
-----------------------------------------------------------
(Updated May 12, 2017, 4:25 p.m.)
Review request for mesos, Gilbert Song, Jie Yu, and Vinod Kone.
Changes
-------
Will rebase on the image-secret patches.
Bugs: MESOS-7431
https://issues.apache.org/jira/browse/MESOS-7431
Repository: mesos
Description
-------
Certain registries, such as GCE registry, reply 403 instead of 401 for
unauthorized requests. When fetching image manifests and blobs, instead
of sending out unauthorized requests first and waiting for a possible
401, we should always look up the docker config and send requests with
basic authorization when possible.
Diffs
-----
src/uri/fetchers/docker.cpp 44169bf5f22f0ffd9fad7bb3b8f7d2a4989c6415
Diff: https://reviews.apache.org/r/58778/diff/1/
Testing
-------
sudo make check (covers all supported public registries)
Manually tested on the following private registries:
1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
2. Amazon ECR
3. Google GCR
4. JFrog SaaS
5. Local Nexus registry 3.3.1
Thanks,
Chun-Hung Hsiao
Re: Review Request 58778: Supported GCE container registry.
Posted by Chun-Hung Hsiao <ch...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58778/
-----------------------------------------------------------
(Updated May 1, 2017, 11:47 p.m.)
Review request for mesos, Gilbert Song and Jie Yu.
Changes
-------
More manual tests.
Bugs: MESOS-7431
https://issues.apache.org/jira/browse/MESOS-7431
Repository: mesos
Description
-------
Certain registries, such as GCE registry, reply 403 instead of 401 for
unauthorized requests. When fetching image manifests and blobs, instead
of sending out unauthorized requests first and waiting for a possible
401, we should always look up the docker config and send requests with
basic authorization when possible.
Diffs
-----
src/uri/fetchers/docker.cpp 44169bf5f22f0ffd9fad7bb3b8f7d2a4989c6415
Diff: https://reviews.apache.org/r/58778/diff/1/
Testing (updated)
-------
sudo make check (covers all supported public registries)
Manually tested on the following private registries:
1. Local registry (2.0.1, 2.1.1, 2.2.1, ..., 2.6.1)
2. Amazon ECR
3. Google GCR
4. JFrog SaaS
5. Local Nexus registry 3.3.1
Thanks,
Chun-Hung Hsiao