registry: isCIDRMatch: avoid performing DNS lookups if not needed #48999
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thaJeztah
added
area/distribution
status/2-code-review
kind/refactor
|
Failure is unrelated; will be fixed by; |
Skip all code if there's nothing to match against. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
no_dnslookup
branch
from
3a732a9 to
d31c28d
Compare
isCIDRMatch defaulted to trying to resolve a hostname to get its IP-address(es) before trying if the given host was an IP address already. Let's reverse the order so that we can avoid performing a DNS lookup when it's not needed. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
no_dnslookup
branch
from
d31c28d to
28a700b
Compare
thaJeztah
commented
Dec 2, 2024
Comment on lines
-38
to
-41
| if host == "127.0.0.1" { | ||
| // I believe in future Go versions this will fail, so let's fix it later | ||
| return net.LookupIP(host) | ||
| } |
There was a problem hiding this comment.
As we're now skipping lookupIP if it's an IP address, this case can be removed; let me update
|
This one's really flaky recently; |
thaJeztah
commented
Dec 2, 2024
Comment on lines
+292
to
+294
| if len(cidrs) == 0 { | ||
| return false | ||
| } |
There was a problem hiding this comment.
Sadly this currently doesn't help, as we're unconditionally initialising RepoInfo with localhost CIDRs; while that's relevant for some uses of RepoInfo, it's not for others, and I'll look for follow-ups to split those use-cases.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A colleague found that isCIDRMatch (called indirectly through ParseRepositoryInfo), is performing DNS lookups. These lookups are related to it assuming is being run as part of the docker engine, and has to check whether the registry is marked as "insecure" in daemon config.
A consequence of this was that tests were slow as they were using
foo.example.com(and similar) domains.This is a first set of changes to avoid performing DNS lookups; the core problem lies in
newRegistryInfo(which is called as part of the above) always tries to propagate all information, including whether the registry is marked "secure". This information is not used in any way for getting the key to use for storing auth, but requires some additional changes to remove (which I'll do in follow-ups);moby/registry/config.go
Lines 386 to 405 in 321f9c2