-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Idea: docker-lock migrate #104
Comments
I think this is an excellent idea - it would make migrating to a private registry much easier. Let me know if this somewhat matches what you had in mind in terms of workflow:
Now, let’s assume that an update has been pushed to the public registry(s):
What do you think? |
I would expect this not to require flags and just use the docker auth config file, in the same way that
Seems reasonable. I haven't looked at the lockfile format, so I'm not sure how this would affect existing datastructures. How would you handle migrating to multiple private registries? Say I want to have geo-redundant k8s clusters that each pull from their nearest registry. For GCR, you could rewrite manifests three times to point to
With some flag or something to select which registry should be used in the rewrite? Or would that decision happen during
This seems like a reasonable workflow -- one nice thing about tracking both upstream and downstream in lockfiles is that you could do some diffing client-side to skip migrating anything that's already downstream. That might complicate things, though. |
My apologies, that was a lapse on my part - yes, currently
I am not super familiar with the geo-redundant case, but shouldn't this be handled by the registry itself? Quickly reading up on Azure (I am more familiar with it), for Azure Container Registry it appears as though you can just use one URL and it will pull from the ideal replica for you. That said, I understand the case for having multiple replicas with multiple URLs. An alternative to having multiple Lockfiles as you suggested would be to have
Then, when running Just a thought, not wed to any solution, but I think it might be more ergonomic to always just have one Lockfile.
As for client side diffing, I assume the goal is to have every replica registry contain the same images, so if an image already exists, docker-lock could just skip the
Here is the Lockfile used in this project. It only uses Dockerhub, but following the README, you can generate them for sample projects using your own private registry. |
Indeed, this is how a lot of registries work, but it introduces a single point of failure at the DNS or load balancer level. Sometimes it's nice to have complete isolation between two environments, which generally means you'll need multiple image references for the "same" workload. (There are other ways to accomplish similar things, I'm just brainstorming here.)
That seems reasonable to me. For the use case I really have in mind, this is sufficient. What I want is this:
I don't know that I really need the lockfile, but it seems integral to how docker-lock functions currently, and I don't think it really hurts anything to have it. I would defer to you for the best UX here. One thing I haven't solved is how to rename images across registries. Ideally, you could mirror the structure of the source:
But, what if we also have One nice thing is that the collisions don't really matter if you're pulling by digest, but it's something to consider (especially if we're copying tags over).
Yep, exactly. |
This was raised in the other open issue, and I tend to agree that in many cases you don't need the Lockfile. When I developed this (for my own usecase) I thought it would be nice to keep the hash information out of the Dockerfiles so that they would remain as readable as possible. As the project evolved, I am still 50/50 on whether this is necessary, but currently it is how it works.
This seems pretty hairy and makes me wonder if it might just be worth supporting a smaller subset of usecases. In terms of time for this feature, I am not sure the next time I will have to add features, but am willing to review any PRs. In terms of UX, I would generally see: |
Upon second thought, I will play around with it in the next week and ping you with an update / code, but feel free to try some ideas out as well if you have time. |
Sounds good -- no rush on my side as I am also a bit busy, but I might point some people towards this as a potential solution if they have time to implement it. |
@jonjohnsonjr |
One other problem with this is that the same structure may not even work. For instance:
fails but
succeeds. In light of that, I was thinking that the simplest solution would be to just use the last part of the path, as in the example above. However, this would be annoying for the case of a project that uses 2 images with the same last path: I think that this case is somewhat rare though, and the command could throw a warning/error/rename a path in this case, so it could be an acceptable solution. Thoughts? |
Many! So this has bit me in ~four different contexts now, and it feels like I should write something up, but I honestly haven't found a great solution to it. Let me try to enumerate some constraints to explain why I think this is difficult, and one potential path forward:
If your destination is one of the first three cases, this isn't actually too bad. You can just take a configured "root" in the destination registry and append all the path components from the source registry, e.g.: DESTINATION=dst.example.com/lock
As long as we're unrestricted in the maximum number of paths, you can always choose a The problem is with e.g. the fourth case. If we have an upper bound on path components in a source registry, how do we flatten them into a finite number of paths for the destination registry? With
The default is ugly, but it works :/
This is fine, but what is a user to do if there's an error? We would need some kind of knob to turn, I think. They are not likely to be able to change the names of all their source repositories, as those are often outside of their control. So I've got a handful of bad ideas to deal with this, but I'm not sure if any are palatable:
I feel like solution 3 and 4 are maybe overkill, but it's hard to find a method that works for everything. Not sure if this is helpful or not :) |
I've been thinking about building something similar to this that includes the ability to copy images to an alternative registry, rather than just resolving tags to digests.
Abstractly, I'd love to have some way to map various functions over collections that contain image references.
You've already implemented support for lots of collections (Dockerfiles, docker-compose files, and kubernetes manifests) and two functions (rewite and verify). We could add a
migrate
function (we can bikeshed the name) that callscrane.Copy
, too.Some applications:
I put together a proof of concept a while back that only worked for kubernetes manifests: ko-build/ko#11
What do you think?
cc @imjasonh
The text was updated successfully, but these errors were encountered: