Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DO NOT MERGE: Smoke-test of a costly “always compute old-style IDs” approach #24419

Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

DO NOT MERGE: Smoke-test of a costly “always compute old-style IDs” approach #24419

wants to merge 11 commits into from

Conversation

mtrmac
Copy link
Collaborator

@mtrmac mtrmac commented Oct 30, 2024

This is a variant of #24287 which reverts (some of) the system test changes to again expect old-style IDs, and includes containers/storage#2155 / containers/image#2613 .

⚠️ WARNING: all of this is a quick sketch, absolutely untested.

This exists purely to give us options. With this, zstd:chunked loses some of the performance wins, and it should revert to old-style IDs. We then have the option to reintroduce the ID change and performance improvement (perhaps even based on measurements) later.

And, separately, this enforces that layers should match against the config’s DiffIDs, resolving the signing ambiguity.

FYI @giuseppe @edsantiago @mheon @baude

Does this PR introduce a user-facing change?

None

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none labels Oct 30, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 30, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mtrmac

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 30, 2024
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 30, 2024
@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch from c179f32 to 5345c94 Compare October 30, 2024 15:19
@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

1 similar comment
@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@mtrmac mtrmac changed the title DO NOT MERGE: Smoke-test of costly “always compute old-style IDs” approach DO NOT MERGE: Smoke-test of a costly “always compute old-style IDs” approach Oct 30, 2024
@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch 6 times, most recently from 3d26edf to 85bf387 Compare October 31, 2024 18:29
@mtrmac
Copy link
Collaborator Author

mtrmac commented Nov 4, 2024
edited
Loading

Note to self: If/after containers/storage#2156 merges, this PR will need to re-enable enable_partial_images.

Edit: done.

@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch from 85bf387 to 776b38d Compare November 18, 2024 16:48
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 18, 2024
@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch from 776b38d to 93405a1 Compare November 18, 2024 16:50
@mtrmac
Copy link
Collaborator Author

mtrmac commented Nov 18, 2024
edited
Loading

The test images with all images converted to zstd:chunked are too old. For now I’m leaving that variant in https://github.com/mtrmac/libpod/tree/mitr-zstd-costly-old-ids-integration-chunked-test-images , and reverting to test with the current images here.

⚠️ That significantly decreases the scope of testing; many of the unexpected behavior changes were happening only with most images converted to zstd:chunked. With this, we are mostly back to the test coverage of #21903 , which is known to not demonstrate many of the surprises.

@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch from 7a0271e to b14da5e Compare November 18, 2024 17:00
@edsantiago
Copy link
Member

The test images with all images converted to zstd:chunked are too old

Would you care to follow (and test and review) my new simplified automation_images doc? You will need to import https://github.com/containers/automation_images/pull/388/files but apart from that it really should be fairly simple.

@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch from b14da5e to 4148a66 Compare November 18, 2024 17:35
@mtrmac
Copy link
Collaborator Author

mtrmac commented Nov 18, 2024

Thanks, I’ll definitely try that.

@mtrmac
Copy link
Collaborator Author

mtrmac commented Nov 22, 2024

The test images with all images converted to zstd:chunked are too old.

Note to self: containers/automation_images#395 .

@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch 5 times, most recently from ac0bb3f to 9b2c391 Compare November 29, 2024 00:31
@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch from 07052cc to fca988f Compare November 29, 2024 15:29
@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch 2 times, most recently from e8de55a to d8a0cea Compare December 14, 2024 00:27
@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch from d8a0cea to ed2d593 Compare January 2, 2025 20:55
@mtrmac
Copy link
Collaborator Author

mtrmac commented Jan 6, 2025

Private notes of manual testing process/outcomes, some problems remain 
chunked pulls with DiffIDs work
###
# bin/podman pull docker://quay.io/libpod/alpine
# bin/podman --log-level=debug push --tls-verify=false --force-compression --compression-format zstd:chunked quay.io/libpod/alpine   docker://localhost:5000/chunked-normal

# skopeo copy --preserve-digests --all --src-tls-verify=false docker://localhost:5000/chunked-normal dir:t-chunked-normal
FIXME: originalDigest, originalLen
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-normal
verify log contains "Created zstd:chunked differ for blob"
verify image ID matches config digest

chunked pulls with incorrect DiffIDs fail
###
# jq . < t-chunked-normal/$originalDigest > tmp
# cp -a t-chunked-normal t-chunked-mismatch
modify diffID in tmp
# configDigest=$(sha256sum tmp | cut -d ' ' -f 1)
# configLen=$(wc --bytes < tmp)
# mv tmp t-chunked-mismatch/$configDigest
# sed "s/$originalDigest/$configDigest/ ; s/:$originalLen}/:$configLen}/" < t-chunked-normal/manifest.json > t-chunked-mismatch/manifest.json 
# skopeo copy --preserve-digests --all --dest-tls-verify=false dir:t-chunked-mismatch docker://localhost:5000/chunked-mismatch
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-mismatch
(reuse) verify fails with "trying to reuse"…"does not match config's DiffID"
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-mismatch
(fresh pull) verify fails with "uncompressed digest of layer" … "config claims"

chunked pulls with missing DiffIDs fail
###
# jq . < t-chunked-normal/$originalDigest > tmp
# cp -a t-chunked-normal t-chunked-missing
remove diffID in tmp
# configDigest=$(sha256sum tmp | cut -d ' ' -f 1)
# configLen=$(wc --bytes < tmp)
# mv tmp t-chunked-missing/$configDigest
# sed "s/$originalDigest/$configDigest/ ; s/:$originalLen}/:$configLen}/" < t-chunked-normal/manifest.json > t-chunked-missing/manifest.json 
# skopeo copy --preserve-digests --all --dest-tls-verify=false dir:t-chunked-missing docker://localhost:5000/chunked-missing
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-missing
(fresh pull) verify fails with "image config has only 0 DiffID values, but a layer with index 0 exists"
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-normal
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-missing
(reuse) verify fails with "image config has only 0 DiffID values, but a layer with index 0 exists"

chunked pulls with empty DiffIDs fail
###
# jq . < t-chunked-normal/$originalDigest > tmp
# cp -a t-chunked-normal t-chunked-empty
set diffID in tmp to ""
# configDigest=$(sha256sum tmp | cut -d ' ' -f 1)
# configLen=$(wc --bytes < tmp)
# mv tmp t-chunked-empty/$configDigest
# sed "s/$originalDigest/$configDigest/ ; s/:$originalLen}/:$configLen}/" < t-chunked-normal/manifest.json > t-chunked-empty/manifest.json 
# skopeo copy --preserve-digests --all --dest-tls-verify=false dir:t-chunked-empty docker://localhost:5000/chunked-empty
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-empty
FIXME FIXME FIXME (reuse) verify succeeds with "Copying blob 45f92e705e65 skipped: already exists (found by TOC)"
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-empty
(fresh pull) verify succeeds with "Failed to retrieve partial blob: DiffID value for layer 0 is unknown or explicitly empty" and "Detected compression format zstd" (falling back to full pull)

non-chunked preparation
###
# for i in t-chunked-*; do j=t-nonchunked-${i#t-chunked-}; cp -a "$i" "$j" && sed 's/io.github.containers.zstd-chunked/irrelevant-annotation/g' < "$j"/manifest.json > tmp &&  mv tmp "$j"/manifest.json  && skopeo copy --preserve-digests --all --dest-tls-verify=false dir:$j docker://localhost:5000/nonchunked-${j#t-nonchunked-}; done

non-chunked pulls with DiffIDs work
###
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/nonchunked-normal
(fresh pull) verify succeeds with "Failed to retrieve partial blob: no TOC found and convert_images is not configured"
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-normal
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/nonchunked-normal
(reuse did not trigger, no compressed digest match) verify succeeds with "Failed to retrieve partial blob: no TOC found and convert_images is not configured" and "Detected compression format zstd"

non-chunked pulls with incorrect DiffIDs fail
###
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/nonchunked-mismatch
(fresh pull) verify fails with "writing blob"… "does not match config's DiffID"
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-normal
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/nonchunked-mismatch
(reuse) verify fail with "trying to reuse blob"…"does not match config's DiffID"


non-chunked pulls with missing DiffIDs work
###
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/nonchunked-missing
FIXME FIXME FIXME (fresh pull) fails with "image config has only 0 DiffID values, but a layer with index 0 exists"
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-normal
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/nonchunked-missing
FIXME FIXME FIXME (reuse) fails with "image config has only 0 DiffID values, but a layer with index 0 exists"

non-chunked pulls with empty DiffIDs work
###
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/nonchunked-empty
(fresh pull) verify succeeds with "Failed to retrieve partial blob: no TOC found and convert_images is not configured"
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-normal
(reuse did not trigger, no compressed digest match) verify succeeds with "Failed to retrieve partial blob: no TOC found and convert_images is not configured" and "Detected compression format zstd"


estargz pulls fall back
###
FIXME: this is a random image on the internet
# bin/podman --log-level=debug pull docker://ghcr.io/stargz-containers/node:13.13.0-esgz
Verify suceeds with "Failed to retrieve partial blob: estargz layers don't support partial pulls with guaranteed consistency with non-partial pulls"


edit storage.conf
###
# sed 's/pull_options = .*/pull_options = {enable_partial_images = "true", use_hard_links = "false", ostree_repos="", "insecure_allow_unpredictable_image_contents" = "true"}/' < /usr/share/containers/storage.conf > /etc/containers/storage.conf

with option, estargz pulls work
###
FIXME: this is a random image on the internet
# bin/podman system reset
# bin/podman --log-level=debug pull docker://ghcr.io/stargz-containers/node:13.13.0-esgz
Verify suceeds with "Created eStargz differ for blob"

with option, chunked pulls with incorrect DiffIDs work
###
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-mismatch
(fresh pull) Verify succeeds with "Created zstd:chunked differ for blob"
Verify image ID does not match config digest
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-normal
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-mismatch
(reuse still suceeds, TOC match without diffID known)
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/nonchunked-normal
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-mismatch
(reuse) verify fails on "does not match config's DiffID", now known costlessly


with option, chunked pulls with missing DiffIDs work
###
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-missing
FIXME FIXME FIXME (fresh pull) fails with "image config has only 0 DiffID values, but a layer with index 0 exists"
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-normal
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-missing
FIXME FIXME FIXME (reuse) succeeds, but re-check after bug fixed
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/nonchunked-normal
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-missing
FIXME FIXME FIXME (fresh pull) fails with "image config has only 0 DiffID values, but a layer with index 0 exists"



with option, chunked pulls with empty DiffIDs work
###
# bin/podman system reset
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-empty
(fresh pull) Verify succeeds with "Failed to retrieve partial blob: DiffID value for layer 0 is unknown or explicitly empty"
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-normal
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-empty
(reuse, FIXME FIXME FIXME re-check later) Verify suceeds with "Skipping blob"…"already present"
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/nonchunked-normal
# bin/podman --log-level=debug pull --tls-verify=false docker://localhost:5000/chunked-empty
(reuse, FIXME FIXME FIXME re-check later) Verify suceeds with "Skipping blob"…"already present"


---

- [ ] schema1 pulls work
- [v] non-chunked pulls with DiffIDs work
- [v] non-chunked pulls with incorrect DiffIDs fail
- [X] non-chunked pulls with missing DiffIDs work
- [v] non-chunked pulls with empty DiffIDs work
- [v] chunked pulls with DiffIDs work
- [v] chunked pulls with incorrect DiffIDs fail
- [v] chunked pulls with missing DiffIDs fail
- [X] chunked pulls with empty DiffIDs fail
- [X] estargz pulls fall back
- [v] with option, estargz pulls work
- [v] with option, chunked pulls with incorrect DiffIDs work
- [X] with option, chunked pulls with missing DiffIDs work
- [v] with option, chunked pulls with empty DiffIDs work

This was referenced Jan 6, 2025
Merged
Merged
@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch 3 times, most recently from b128c72 to 782aa77 Compare January 10, 2025 20:34
@mtrmac mtrmac mentioned this pull request Jan 13, 2025
Draft
@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch 4 times, most recently from 6828853 to 7cf1875 Compare January 16, 2025 20:16
@mtrmac
Copy link
Collaborator Author

mtrmac commented Jan 16, 2025

This is now on top of #25007, and differs from it by:

  • using a CI image where all images are zstd:chunked
  • enabling partial pulls for the whole Podman test suite
  • updating the tests to work with the unexpectedly-Zstd images

@mtrmac mtrmac mentioned this pull request Jan 17, 2025
Closed
@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch from 7cf1875 to 8f28e37 Compare January 21, 2025 20:58
mtrmac added 11 commits January 23, 2025 22:55
@mtrmac
Don't use all of tempdir as podman's --tmpdir
1c0454b 
... because (podman system reset) will delete all of it,
interfering with the test storing other data in the directory.

Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
Add tests for chunked pulls
1355296 
Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
Merge branch 'zstd-chunked-with-tests' into HEAD
e1f29e4
@mtrmac
DO NOT MERGE: Nerf make-and-check-size
b1057c0 
Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
DO NOT MERGE: Test with a zstd:chunked testimage
5c0df5b 
Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
DO NOT MERGE: Test with a zstd:chunked container
5c70ae2 
... from containers/automation_images#395 .

Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
??? Work around zstd:chunked images in health checks
853b482 
Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
WIP: Conditional digests (BUT STANDARD IDs)
4a9fcd4 
Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
WIP: Conditional image IDs
99c7b84 
Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
HACK: Re-enable partial pulls by default
ce4b2ec 
Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
HACK: nerf tree_status.sh
2c318f6 
Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac mtrmac force-pushed the mitr-zstd-costly-old-ids-integration branch from 8f28e37 to 2c318f6 Compare January 23, 2025 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mtrmac @edsantiago @openshift-merge-robot