Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROX-23714: Lazy load registry repo list #11163

Closed
wants to merge 17 commits into from
Closed

ROX-23714: Lazy load registry repo list #11163

wants to merge 17 commits into from
+1,917 −108

Conversation

dcaravel
Copy link
Contributor

@dcaravel dcaravel commented May 17, 2024
edited

Description

Currently when Central starts all integrations are loaded into memory sequentially. For each integration a list of associated repositories is created. Populating this list takes time and delays Central startup (ref).

The repo list is used when determining if a registry integration is a match for an image.

Instead of loading the initial repo list when creating a new image integration, load it lazily upon first call to Match (and then as usual on subsequent calls).

This will result in faster Central startup and reduced initial memory consumption.

In the future repo list should be removed entirely, ACS may be making a wrong assumption that if a repo is not in the list then it is not in the registry, which is contrary to this doc:

... a missing entry does not mean that the registry does not have the repository. More succinctly, the presence of a repository only guarantees that it is there but not that it is not there.

Checklist

  • Investigated and inspected CI test results
  • Unit test and regression tests added
  • Evaluated and added CHANGELOG entry if required
  • Determined and documented upgrade steps
  • Documented user facing changes (create PR based on openshift/openshift-docs and merge into rhacs-docs)

If any of these don't apply, please comment below.

Testing Performed

Unit tests as well as an infra OCP cluster with a mock registry deployed (broken-image-reg) configured to add a 10 second delay to the /v2/_catalog repo list calls - and 20 pull secrets with unique routes to the broken registry created in the OCP cluster.

Without the fix, Central startup is delayed just under two minutes:

2024/05/21 00:52:14.621790 orchestrator.go:231: Info: Successfully fetched 0 Istio CVEs
2024/05/21 00:53:56.624237 instance_config.go:113: Info: Phonehome telemetry collection disabled.

A followup roxctl image scan returns instantly (error expected):

$ time rctl image scan --image=broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/broken/error:500 --retries 0
ERROR:	scaning image failed after 0 retries: could not scan image: "broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/broken/error:500": rpc error: code = Internal desc = image enrichment error: error getting metadata for image: broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/broken/error:500 error: getting metadata from registry: "Autogenerated https://broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems for cluster remote": failed to get the manifest digest: Head "https://broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/v2/broken/error/manifests/500": http: non-successful response (status=500 body="")

real	0m0.432s
user	0m0.109s
sys	0m0.046s

With the fix, Central starts up faster:

2024/05/21 00:56:22.685922 orchestrator.go:231: Info: Successfully fetched 0 Istio CVEs
2024/05/21 00:56:23.409195 singleton.go:43: Info: Injecting 86 policies into detectors.

The initial repo list load is instead made during the first call to match, which is demonstrated via a roxctl image scan. Notice how it returns after about 10 seconds (the timeout set on the /v2/_catalog endpoint):

$ time rctl image scan --image=broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/broken/error:500 --retries 0
ERROR:	scaning image failed after 0 retries: could not scan image: "broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/broken/error:500": rpc error: code = Internal desc = image enrichment error: error getting metadata for image: broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/broken/error:500 error: getting metadata from registry: "Autogenerated https://broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems for cluster remote": failed to get the manifest digest: Head "https://broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/v2/broken/error/manifests/500": http: non-successful response (status=500 body="")

real	0m10.391s
user	0m0.114s
sys	0m0.047s

A second call to roxctl returns immediately indicating the repo list call is/was not made again:

$ time rctl image scan --image=broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/broken/error:500 --retries 0
ERROR:	scaning image failed after 0 retries: could not scan image: "broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/broken/error:500": rpc error: code = Internal desc = image enrichment error: error getting metadata for image: broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/broken/error:500 error: getting metadata from registry: "Autogenerated https://broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems for cluster remote": failed to get the manifest digest: Head "https://broken1-broken-image-reg.apps.dc-05-20-1.ocp.infra.rox.systems/v2/broken/error/manifests/500": http: non-successful response (status=500 body="")

real	0m0.405s
user	0m0.119s
sys	0m0.047s

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 17, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@rhacs-bot
Copy link
Contributor

rhacs-bot commented May 17, 2024
edited

Images are ready for the commit at 10aec9c.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.4.x-726-g10aec9ce03.

dcaravel and others added 16 commits May 17, 2024 18:19
@dcaravel
cleanup
2aa0bfc
@dcaravel
fix style check
10aec9c
@dcaravel
move load to after host match
37271b3
@sachaudh @dcaravel
ROX-23508: Adding text input and select for advanced filters (#11105)
1633f0b
@jvdm @dcaravel
feat(scanner): updater: Publish multi-bundle vulns (#11044)
00109f7
@ludydoo @dcaravel
ROX-17300: Support hostAliases (#11151)
a66af54
@dependabot @dcaravel
chore(deps): bump github.com/fatih/color from 1.16.0 to 1.17.0 (#11173)
21ceaf5
@dvail @dcaravel
chore: Add feature flag for VULN_MGMT_NO_CVES_VIEW (#11155)
3e0e84d
@sachaudh @dcaravel
ROX-23510: Adding the date-picker to the compound search filter (#11162)
158b293
@bradr5 @dcaravel
ROX-24100: Profile clusters table pagination (#11140)
3926435
@BradLugo @dcaravel
fix(ci): reorder gke tags and labels variable expansions (#11160)
cca771f
@rhacs-bot @dcaravel
chore(scanner): Update SCANNER_VERSION (#11171)
b26d71d
@charmik-redhat @dcaravel
ROX-23847: Attempt at reducing lock contention in network entities da…
fdc5c67 
…tastore (#11066)
@dcaravel
ROX-23220: rocksdb changelog (#11134)
24e0478 
updates for rocksdb removal
@dcaravel
initial
87d698b
@dcaravel
merge conflict
eef88b6
@dcaravel dcaravel closed this May 21, 2024
@dcaravel
Copy link
Contributor Author

Rebases gone bad... closing

@dcaravel
Copy link
Contributor Author

#11186 <- new PR

@dcaravel dcaravel deleted the dc/lazy-repo-list branch May 21, 2024 01:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do-not-merge/work-in-progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@dcaravel @rhacs-bot @sachaudh @jvdm @ludydoo @dvail @bradr5 @BradLugo @charmik-redhat