Proposal: Incremental build context sending

[tonistiigi]

There have been lots of discussions to optimize the rebuild flow of building a project with Docker. We have seen workarounds where volumes are used instead to get access to the source data to optimize the process. But that approach is really dangerous as the input data is mutable and can't be properly cached.

I'm proposing adding an endpoint to the remote API that could be used to transfer data between client and the builder using a negotiated protocol. For incremental build use case one of these protocols could be one that can skip the transfer of files that have not been changed.

@dmcgowan and I have been prototyping a solution for this using the changes stream from containerd https://godoc.org/github.com/docker/containerd/fs#Changes . Usually, this is used for finding the difference of changes between a read-write and image layer when committing a container. But the same concept also works for detecting the difference between current and a previous context transfer from a client. This is also the same algorithm used by rsync recursive directory sync (rsync delta update algorithm could be added later if it can help performance).

Having a special endpoint for context transfer also means we don't need to do any hacks with Dockerfile/.dockerignore where we currently try to combine build description and build inputs to the same archive and then extract and separate on daemon side.

Other benefits of this include daemon possibly detecting what files are actually needed for the build and skipping the transfer of the rest. Later this could be used for providing multiple sources for a build operation, skipping context transfer completely when parallel builds require same context, syncing files back to the client etc.

This would not remove any existing features from the builder. Sending context with a tar archive in a POST request would still be supported.

I hope to share code soon, was hoping to get some initial thoughts/feedback.

The transfer would go over a hijacked connection similar to the one used by the attach endpoint. For the framing, the prototype currently uses grpc. Could probably switch to websockets as grpc doesn't really provide much extra value in this case. All transferred data is encapsulated by protobuf. Initial benchmarks have been encouraging.

[cpuguy83]

grpc doesn't really provide much extra value in this case.

I'd have to look at the implementation, but it seems like grpc here would be good for formalizing the protocol, handling errors, etc.. where as with websockets we'd be on our own to handle this.

What's the motivation for wanting to use websockets at all vs http2?

[dmcgowan]

but it seems like grpc here would be good for formalizing the protocol

To me that is the main selling point. The only downside right now with the implementation is that the upgrade to HTTP2 and ultimately to GRPC feels pretty hacky and it only upgrades from a specific endpoint. Nothing is violating any of the RFCs but I think if we were to use GRPC we should try and centralize to single endpoint and possibly allow for more services to attach to it in the future. While I think it would be great that does open up an opportunity (or slippery slope depending on your view) for more to be added to the API with GRPC.

Setting aside the specifics of the protocol for the doing the file sync, I think this is the right approach for optimizing context. It will require slightly more state on the daemon side (and maybe client side in the future) but we could easily integrate it with docker system prune to allow flushing out this cached build data.

[tonistiigi]

@cpuguy83

The endpoint for this is more like an interactive session between 2 clients. While grpc is designed for anonymous response handler for client side request. Also, there needs to be a way to negotiate protocol because they will be updated in the future.

This is the base outline for moving context form client to daemon:

client   -> i_am_ready_for_fs_jobs(session)
                 request_fs(paths, supported_protocols)   <- daemon (when it receives a build job)
            -> response_fs(ok, chosen protocol)
             ... actual transfer ...

Atm, this is solved by single bidirectional grpc handler where the request_fs, response_fs are the grpc stream types. After successful negotiation, the grpc stream(https://github.com/grpc/grpc-go/blob/master/stream.go#L66-L81) is passed to the transfer implementation. As you see the grpc is only minimally used and there isn't a way to share a session for multiple builds or transfer data from daemon to client.

The other way would be to for every response_fs to define a separate method but there isn't a reliable way to connect multiple requests(would need to fake a callback ID). Also, we can't predict what kind of data stream a transfer protocol would need, not sure if a single bidirectional grpc method with only 2 types always works.

I did make a TCP only version for test that just adds grpc wire protocol 5 byte header to every message and it is actually much cleaner.

[simonferquel]

Could we use this to also stream registry credentials ? that would be really nice to avoid sending unnecessary credentials to the daemon.

[tonistiigi]

@simonferquel In theory yes, but that is not part of the current implementation. A related problem to this is DCT that atm has a parse step in the client that limits lots of use cases. One way could be that this stream could be used to get the DCT info while the builder is running.

[simonferquel]

@tonistiigi About grpc, could we simply upgrade the build api http connection to raw tcp (like what is done with docker run) and use this tcp connection to expose grpc methods like get_file_hash / get_file_content / get_authentication_creds, as soon as the client uses the next api version ? That would have the advantage of working with whatever underlying communication protocol is in use, and avoiding protocol negociation.

[tonistiigi]

@simonferquel There are 2 layers of negotiation here. One is making different types of requests (auth, send files, receive files). This how you describe it. The other is different specific file transfer protocols. get_file_hash / get_file_content is not enough to get good performance as the performance win comes from skipping the reads and roundtrips.