Skip to content

WIP: Only obtain a bearer token once at a time#1968

Closed
mtrmac wants to merge 6 commits into
containers:mainfrom
mtrmac:shared-token
Closed

WIP: Only obtain a bearer token once at a time#1968
mtrmac wants to merge 6 commits into
containers:mainfrom
mtrmac:shared-token

Conversation

@mtrmac

@mtrmac mtrmac commented May 29, 2023

Copy link
Copy Markdown
Collaborator

Currently, on pushes, we can start several concurrent layer pushes; each one will check for a bearer token in tokenCache, find none, and ask the server for one, and then write it into the cache.

So, we can hammer the server with 6 basically-concurrent token requests. That's unnecessary, slower than just asking once, and potentially might impact rate limiting heuristics.

Instead, serialize writes to a bearerToken so that we only have one request in flight at a time.

This does not apply to pulls, where the first request is for a manifest, which obtains a token, so subsequent concurrent layer pulls will not request a token again.

WIP: Clean up the debugging log entries.

@mtrmac mtrmac mentioned this pull request May 29, 2023
Open
mtrmac
mtrmac commented May 29, 2023
View reviewed changes
Comment thread docker/docker_client.go Outdated
Comment thread docker/docker_client.go Outdated
@mtrmac mtrmac force-pushed the shared-token branch 4 times, most recently from 84d61b4 to e2c713b Compare June 1, 2023 17:50
@mtrmac mtrmac added the kind/feature A request for, or a PR adding, new functionality label Jun 30, 2023
@mtrmac mtrmac mentioned this pull request Jul 31, 2023
Closed
@mtrmac mtrmac mentioned this pull request Apr 2, 2024
Merged
@mtrmac mtrmac force-pushed the shared-token branch 2 times, most recently from 1fd9f89 to 3ec2136 Compare May 30, 2024 19:32
@mtrmac mtrmac force-pushed the shared-token branch 2 times, most recently from cd3b8ee to 8636ccc Compare July 9, 2024 20:16
@mtrmac mtrmac mentioned this pull request Jul 9, 2024
Merged
@mtrmac

mtrmac commented Jul 9, 2024

Copy link
Copy Markdown
Collaborator Author

The not-directly-related refactoring are now filed separately in #2480.

mtrmac added 6 commits July 11, 2024 20:02
@mtrmac
Split obtainBearerToken from dockerClient.setupRequestAuth
9e3cd4a 
... because we will make it more complex.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Exit early from obtainBearerToken if c.registryToken is set
1729768 
... to decrease indentation and remove a variable.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Use an explicit lock for dockerClient.tokenCache instead of sync.Map
10367f7 
We will want to manage concurrency in more detail.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Store a pointer to a bearerToken in tokenCache
e7155e1 
We will want to add a lock to it, so we must stop copying it by value.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Move creation of bearerToken to obtainBearerToken
f8d6195 
Instead of having getBearerToken* construct a new bearerToken
object, have the caller provide one.

This will allow us to record that a token is being obtained,
so that others can wait for it.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
WIP: Only obtain a bearer token once at a time
43a2b72 
Currently, on pushes, we can start several concurrent layer pushes;
each one will check for a bearer token in tokenCache, find none,
and ask the server for one, and then write it into the cache.

So, we can hammer the server with 6 basically-concurrent token requests.
That's unnecessary, slower than just asking once, and potentially might
impact rate limiting heuristics.

Instead, serialize writes to a bearerToken so that we only have one request in
flight at a time.

This does not apply to pulls, where the first request is for a manifest;
that obtains a token, so subsequent concurrent layer pulls will not request
a token again.

WIP: Clean up the debugging log entries.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac mtrmac mentioned this pull request Jun 23, 2025
Closed
@jankaluza

jankaluza commented Aug 26, 2025

Copy link
Copy Markdown
Member

Hi, and thank you for your contribution!

We’ve recently migrated this repository into a new monorepo: containers/container-libs along with other repositories

As part of this migration, this repository is no longer accepting new Pull-Requests and therefore this Pull-Request is being closed.

Thank you very much for your contribution. We would appreciate your continued help in migrating this PR to the new container-libs repository. Please let us know if you are facing any issues.

You can read more about the migration and the reasoning behind it in our blog post: Upcoming migration of three containers repositories to monorepo.

Thanks again for your work and for supporting the containers ecosystem!

@jankaluza jankaluza closed this Aug 26, 2025
@mtrmac mtrmac mentioned this pull request Oct 23, 2025
Merged
@mtrmac

mtrmac commented Oct 23, 2025

Copy link
Copy Markdown
Collaborator Author

This continues in podman-container-tools/container-libs#415 .

@mtrmac mtrmac deleted the shared-token branch November 3, 2025 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kind/feature A request for, or a PR adding, new functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtrmac @jankaluza