c8d: Make sure the content isn't removed while we export #45963
Conversation
rumpl
added
status/2-code-review
process/cherry-pick
area/images
containerd-integration
|
@thaJeztah I see you added the 25.0.0 milestone, which is fine but this change is not essential to the 25 release |
rumpl
force-pushed
the
c8d-image-save-lease
branch
from
a6f6128 to
2591d72
Compare
rumpl
force-pushed
the
c8d-image-save-lease
branch
2 times, most recently
from
1757030 to
4fe7bb3
Compare
rumpl
force-pushed
the
c8d-image-save-lease
branch
from
4fe7bb3 to
54f3f47
Compare
rumpl
force-pushed
the
c8d-image-save-lease
branch
3 times, most recently
from
467cff5 to
ab81658
Compare
| ctx, release, err := i.client.WithLease(ctx) | ||
| contentStore := i.client.ContentStore() | ||
| leasesManager := i.client.LeasesService() | ||
| lease, err := leasesManager.Create(ctx, leases.WithRandomID()) |
There was a problem hiding this comment.
| lease, err := leasesManager.Create(ctx, leases.WithRandomID()) | |
| lease, err := leasesManager.Create(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour)) |
For paranoid safety's sake, should we create the lease with an expiration (a la https://github.com/moby/moby/blob/0c6b61665668fa68538a630d341ad56e53817162/daemon/containerd/image_commit.go#L71C67-L71C101) ?
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
There was a problem hiding this comment.
I think our best bet would be to add a cleanup routine at startup that would remove all dangling leases. This should only happen if there is a catastrophic failure and the daemon was killed mid-export. Adding a 1 hour lease would make exports that run more than 1h fail if someone removed the content while we were exporting. Both of the cases should be rare and yeah, a cleanup routine at startup would be best I think.
We could even add a check in all our tests checking that there are no dangling leases.
is there a relation between ctx and "expiration"? i.e., should leases also expire if the context is cancelled or timed out?
There isn't, not in the way you describe it no, would be a nice addition for sure. Containerd has only this:
ctx, release, err := i.client.WithLease(ctx)In this case when release is called and the lease would be removed. This lease only works for content that is created during the life of that context. In the case of exporting we aren't creating any content, we are only reading them, that's why we need to pre-lease all the content and then safely read it.
There was a problem hiding this comment.
I think our best bet would be to add a cleanup routine at startup that would remove all dangling leases.
I'm okay with this, and sounds like a better way to go than arbitrary 1-hour lease. I'll try to write this down to remember to do this somewhere, and when we do that we should go through the rest of the c8d integration code and remove the arbitrary 1-hour expirations in other places (so that an hour long docker commit won't break, even though I hope that's not happening frequently)
There was a problem hiding this comment.
We should also make sure we always set options to the WithLease call, by default it will create a 24h lease.
There was a problem hiding this comment.
Looks like we have a utility in one place;
moby/daemon/images/image_pull.go
Lines 136 to 150 in 058a6e9
But given that we're wrapping the leases manager in our "namespaced" manager, would it make sense to apply defaults there?
There was a problem hiding this comment.
Indeed! Forgot about that one
There was a problem hiding this comment.
I opened a issue to track this one #46020
There was a problem hiding this comment.
one silly question on @laurazard's comment, and I agree with all other comments, but other than that, this LGTM
| ctx, release, err := i.client.WithLease(ctx) | ||
| contentStore := i.client.ContentStore() | ||
| leasesManager := i.client.LeasesService() | ||
| lease, err := leasesManager.Create(ctx, leases.WithRandomID()) |
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
|
@thaJeztah scoping a lease to a context will be much cheaper to implement with Go 1.21's I think it's wise for containerd not to implement a |
This change add leases for all the content that will be exported, once the image(s) are exported the lease is removed, thus letting containerd's GC to do its job if needed. This fixes the case where someone would remove an image that is still being exported. This fixes the TestAPIImagesSaveAndLoad cli integration test. Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
rumpl
force-pushed
the
c8d-image-save-lease
branch
from
ab81658 to
f3a6b0f
Compare
Also fair point. It was a "wild blurb" on my side, mostly considering what the proper / cleanest way would be to create a "transaction" (with some work during), which is expected to last for the duration of the context (possibly with a deadline, but I guess that'd be more for the context), but I definitely haven't given it a lot of thought yet. |
- What I did
This change adds leases for all the content that will be exported, once the image(s) are exported the lease is removed, thus letting containerd's GC to do its job if needed. This fixes the case where someone would remove an image that is still being exported.
This fixes the TestAPIImagesSaveAndLoad cli integration test.
- How I did it
- How to verify it
Run
make DOCKER_GRAPHDRIVER=overlayfs TEST_FILTER=TestAPIImagesSaveAndLoad TEST_INTEGRATION_USE_SNAPSHOTTER=1 test-integration, the test should now pass.- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)