Drop the old tarsum computation for Docker <0.10#570
Drop the old tarsum computation for Docker <0.10#570dmp42 merged 1 commit intodocker-archive:masterfrom
Conversation
|
Pretty much, here we are: Add to that about half a percent of even older clients. Trend looks like that: I would give it another month for these to flat out to something we can really ignore - that would match with 1.0 timeline hopefully. Thanks for this Mr. wking :-) |
|
Ok, time to revisit this. I'm ok removing these bits, but I want in place a mechanism to refuse push from clients < 0.10 (exact http code to be devised - 406? 417? none are technically exact here, but they are specific enough to distinguish from other errors). Do you want to take it from here? |
|
On Thu, Nov 13, 2014 at 12:53:03PM -0800, Olivier Gambier wrote:
The reason there's no correct response for “you have a User-Agent I X-Docker-Versions: 2.4, 3.1, ... header listing the semantically versioned APIs that the registry did Is there an alternate way to get the existing clients to report a |
|
On Thu, Nov 13, 2014 at 12:53:03PM -0800, Olivier Gambier wrote:
Joe Liversedge suggests “412 Precondition Failed” 1. |
|
On Sat, Nov 15, 2014 at 08:54:36AM -0800, W. Trevor King wrote:
And it looks like X-* headers are no longer recommended 1, so |
|
Unfortunately, client side error reporting is not good (for past and present docker versions), and it's (very) unlikely that old docker versions are going to get an update - while I do agree that none of my suggestions are technically "the right thing to do", we need a reasonably "visible" way to give feedback to older clients pointing to that specific issue. Now, for the future: #734 |
|
On Sat, Nov 15, 2014 at 02:40:03PM -0800, Olivier Gambier wrote:
So what are our options? I'm not sure what the client sees, or if the |
I believe for the targeted versions (<0.10) using an HTTP status code that is not used already for other error conditions is the only way (+ informative error message in the body can't hurt). Connections are made by the daemon - these will show in daemon logs. |
09a63ef to
6a73d6e
Compare
This landed in 82021b4 (Merging bypass-tarsum, 2014-04-07, docker-archive#300), but those Dockers are now ancient history. I'm against this sort of user-agent-dependent behavior in general. If we want to version the API, it makes sense to have version checks in one place (e.g. in the URL, or in an explicit Docker-Version header, or in the PUT payload, ...). I'm happy with either the URL approach (always explicit) or the Docker-Version approach (defaulting to the current version). If we make some small change to the API (such as not storing layer tarsums), and want to add per-feature headers or registry-side options to enable/disable this behaviour, that's fine. If we can auto-detect new features (e.g. if Docker-Checksum-Payload exists, it must be using the new SHA-256 semantics), that's fine too. But regardless of how we version the API, conflating the API version with the user-agent version just seems confusing. Olivier wants us to warn older clients instead of just failing when their tarsum doesn't match our checksum [1], so we still need to use their user-agent string to decide which clients get warned. I've softened the old DockerVersion into a more relaxed docker_client_version, which no longer rejects non-Docker clients [2]. If we can't version the API, we can at least use a blacklist to deny old implementations instead of a whitelist that requires other clients to fake the Docker-daemon User-Agent string. I'd like to remove all the user-agent-dependent behavior, but we're currently also using it to setup some tag metadata in docker_registry.tags.put_tag. I don't touch that here, since I haven't tracked down the reasoning behind that behavior (although I suspect it's also a bad idea ;). I also haven't touched the user-agent bits under tests/, since I haven't checked to see if they're designed to test this check, or to test the put_tags check, or just to bypass either of those checks. [1]: docker-archive#570 (comment) [2]: docker-archive#375
6a73d6e to
ffa493d
Compare
This landed in 82021b4 (Merging bypass-tarsum, 2014-04-07, docker-archive#300), but those Dockers are now ancient history. I'm against this sort of user-agent-dependent behavior in general. If we want to version the API, it makes sense to have version checks in one place (e.g. in the URL, or in an explicit Docker-Version header, or in the PUT payload, ...). I'm happy with either the URL approach (always explicit) or the Docker-Version approach (defaulting to the current version). If we make some small change to the API (such as not storing layer tarsums), and want to add per-feature headers or registry-side options to enable/disable this behaviour, that's fine. If we can auto-detect new features (e.g. if Docker-Checksum-Payload exists, it must be using the new SHA-256 semantics), that's fine too. But regardless of how we version the API, conflating the API version with the user-agent version just seems confusing. Olivier wants us to warn older clients instead of just failing when their tarsum doesn't match our checksum [1], so we still need to use their user-agent string to decide which clients get warned. I've softened the old DockerVersion into a more relaxed docker_client_version, which no longer rejects non-Docker clients [2]. If we can't version the API, we can at least use a blacklist to deny old implementations instead of a whitelist that requires other clients to fake the Docker-daemon User-Agent string. I'd like to remove all the user-agent-dependent behavior, but we're currently also using it to setup some tag metadata in docker_registry.tags.put_tag. I don't touch that here, since I haven't tracked down the reasoning behind that behavior (although I suspect it's also a bad idea ;). I also haven't touched the user-agent bits under tests/, since I haven't checked to see if they're designed to test this check, or to test the put_tags check, or just to bypass either of those checks. [1]: docker-archive#570 (comment) [2]: docker-archive#375
ffa493d to
ad9a8cc
Compare
This landed in 82021b4 (Merging bypass-tarsum, 2014-04-07, docker-archive#300), but those Dockers are now ancient history. I'm against this sort of user-agent-dependent behavior in general. If we want to version the API, it makes sense to have version checks in one place (e.g. in the URL, or in an explicit Docker-Version header, or in the PUT payload, ...). I'm happy with either the URL approach (always explicit) or the Docker-Version approach (defaulting to the current version). If we make some small change to the API (such as not storing layer tarsums), and want to add per-feature headers or registry-side options to enable/disable this behaviour, that's fine. If we can auto-detect new features (e.g. if Docker-Checksum-Payload exists, it must be using the new SHA-256 semantics), that's fine too. But regardless of how we version the API, conflating the API version with the user-agent version just seems confusing. Olivier wants us to warn older clients instead of just failing when their tarsum doesn't match our checksum [1], so we still need to use their user-agent string to decide which clients get warned. I've softened the old DockerVersion into a more relaxed docker_client_version, which no longer rejects non-Docker clients [2]. If we can't version the API, we can at least use a blacklist to deny old implementations instead of a whitelist that requires other clients to fake the Docker-daemon User-Agent string. For the 'PUT /v1/images/<image_id>/checksum' endpoint, we don't need to rely on the user-agent, because the old X-Docker-Checksum was replaced by the new X-Docker-Checksum-Payload. If the client isn't setting X-Docker-Checksum-Payload, just say that in the error message and hint that it might be due to an outdated client. I'd like to remove all the user-agent-dependent behavior, but we're currently also using it to setup some tag metadata in docker_registry.tags.put_tag. I don't touch that here, since I haven't tracked down the reasoning behind that behavior (although I suspect it's also a bad idea ;). I also haven't touched the user-agent bits under tests/, since I haven't checked to see if they're designed to test this check, or to test the put_tags check, or just to bypass either of those checks. [1]: docker-archive#570 (comment) [2]: docker-archive#375
|
On Sat, Nov 15, 2014 at 03:24:39PM -0800, Olivier Gambier wrote:
Should be done in ad9a8cc (which I've rebased onto the current master {'error': ''} |
|
@wking something is not green it seems :) |
ad9a8cc to
4f929ce
Compare
This landed in 82021b4 (Merging bypass-tarsum, 2014-04-07, docker-archive#300), but those Dockers are now ancient history. I'm against this sort of user-agent-dependent behavior in general. If we want to version the API, it makes sense to have version checks in one place (e.g. in the URL, or in an explicit Docker-Version header, or in the PUT payload, ...). I'm happy with either the URL approach (always explicit) or the Docker-Version approach (defaulting to the current version). If we make some small change to the API (such as not storing layer tarsums), and want to add per-feature headers or registry-side options to enable/disable this behaviour, that's fine. If we can auto-detect new features (e.g. if Docker-Checksum-Payload exists, it must be using the new SHA-256 semantics), that's fine too. But regardless of how we version the API, conflating the API version with the user-agent version just seems confusing. Olivier wants us to warn older clients instead of just failing when their tarsum doesn't match our checksum [1], so we still need to use their user-agent string to decide which clients get warned. I've softened the old DockerVersion into a more relaxed docker_client_version, which no longer rejects non-Docker clients [2]. If we can't version the API, we can at least use a blacklist to deny old implementations instead of a whitelist that requires other clients to fake the Docker-daemon User-Agent string. For the 'PUT /v1/images/<image_id>/checksum' endpoint, we don't need to rely on the user-agent, because the old X-Docker-Checksum was replaced by the new X-Docker-Checksum-Payload. If the client isn't setting X-Docker-Checksum-Payload, just say that in the error message and hint that it might be due to an outdated client. I'd like to remove all the user-agent-dependent behavior, but we're currently also using it to setup some tag metadata in docker_registry.tags.put_tag. I don't touch that here, since I haven't tracked down the reasoning behind that behavior (although I suspect it's also a bad idea ;). I also haven't touched the user-agent bits under tests/, since I haven't checked to see if they're designed to test this check, or to test the put_tags check, or just to bypass either of those checks. [1]: docker-archive#570 (comment) [2]: docker-archive#375
This landed in 82021b4 (Merging bypass-tarsum, 2014-04-07, docker-archive#300), but those Dockers are now ancient history. I'm against this sort of user-agent-dependent behavior in general. If we want to version the API, it makes sense to have version checks in one place (e.g. in the URL, or in an explicit Docker-Version header, or in the PUT payload, ...). I'm happy with either the URL approach (always explicit) or the Docker-Version approach (defaulting to the current version). If we make some small change to the API (such as not storing layer tarsums), and want to add per-feature headers or registry-side options to enable/disable this behaviour, that's fine. If we can auto-detect new features (e.g. if Docker-Checksum-Payload exists, it must be using the new SHA-256 semantics), that's fine too. But regardless of how we version the API, conflating the API version with the user-agent version just seems confusing. Olivier wants us to warn older clients instead of just failing when their tarsum doesn't match our checksum [1], so we still need to use their user-agent string to decide which clients get warned. I've softened the old DockerVersion into a more relaxed docker_client_version, which no longer rejects non-Docker clients [2]. If we can't version the API, we can at least use a blacklist to deny old implementations instead of a whitelist that requires other clients to fake the Docker-daemon User-Agent string. For the 'PUT /v1/images/<image_id>/checksum' endpoint, we don't need to rely on the user-agent, because the old X-Docker-Checksum was replaced by the new X-Docker-Checksum-Payload. If the client isn't setting X-Docker-Checksum-Payload, just say that in the error message and hint that it might be due to an outdated client. I'd like to remove all the user-agent-dependent behavior, but we're currently also using it to setup some tag metadata in docker_registry.tags.put_tag. I don't touch that here, since I haven't tracked down the reasoning behind that behavior (although I suspect it's also a bad idea ;). I also haven't touched the user-agent bits under tests/, since I haven't checked to see if they're designed to test this check, or to test the put_tags check, or just to bypass either of those checks. [1]: docker-archive#570 (comment) [2]: docker-archive#375
4f929ce to
f245656
Compare
|
On Tue, Dec 02, 2014 at 02:28:58PM -0800, Olivier Gambier wrote:
Sloppy me. Should be fixed now. |
|
LGTM Thanks a lot for this! |
Drop the old tarsum computation for Docker <0.10
Fixes #375.
This landed in 82021b4 (Merging bypass-tarsum, 2014-04-07, #300), but
those Dockers are now ancient history. Additional details in the
commit message. @samalba thought this should land with Docker 1.0
1, which is a while back now. @dmp42 recently pushed this back to
docker-registry 1.0 2.
I'm just floating this now, because I was working on some Storage API
cleanup, and I didn't want to bother with those old code paths. I'm
happy to just let this PR (and any based on it) cook until the powers
that be feel comfortable dropping support for the older clients.