Only obtain a bearer token once at a time#415
Merged
Conversation
|
✅ A new PR has been created in buildah to vendor these changes: podman-container-tools/buildah#6448 |
... because we will make it more complex. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to decrease indentation and remove a variable. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We will want to manage concurrency in more detail. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We will want to add a lock to it, so we must stop copying it by value. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead of having getBearerToken* construct a new bearerToken object, have the caller provide one. This will allow us to record that a token is being obtained, so that others can wait for it. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Currently, on pushes, we can start several concurrent layer pushes; each one will check for a bearer token in tokenCache, find none, and ask the server for one, and then write it into the cache. So, we can hammer the server with 6 basically-concurrent token requests. That's unnecessary, slower than just asking once, and potentially might impact rate limiting heuristics. Instead, serialize writes to a bearerToken so that we only have one request in flight at a time. This does not benefit pulls, where the first request is for a manifest; that obtains a token, so subsequent concurrent layer pulls will not request a token again. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
podmanbot
pushed a commit
to podmanbot/buildah
that referenced
this pull request
Nov 3, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently, on pushes, we can start several concurrent layer pushes; each one will check for a bearer token in tokenCache, find none, and ask the server for one, and then write it into the cache.
So, we can hammer the server with 6 basically-concurrent token requests. That's unnecessary, slower than just asking once, and potentially might impact rate limiting heuristics.
Instead, serialize writes to a bearerToken so that we only have one request in flight at a time.
This does not benefit pulls, where the first request is for a manifest, which obtains a token, so subsequent concurrent layer pulls will not request a token again.
See individual commit messages for details.
(This continues, and updates, containers/image#1968 .)