Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rethink nydusd configuration file #388

Open
imeoer opened this issue Feb 28, 2023 · 7 comments
Open

rethink nydusd configuration file #388

imeoer opened this issue Feb 28, 2023 · 7 comments

Comments

@imeoer
Copy link
Collaborator

imeoer commented Feb 28, 2023
edited

  1. Nydusd configuration file includes registry auth information, it shouldn't be saved to disk (how to handle live upgrade and failover?).
  2. When the nydusd configuration file changes, the new nydusd should use the updated.
  3. Once the auth subscribed from k8s secret/docker config changes, nydusd also needs to update, in case of using an expired auth.
@changweige
Copy link
Member

When the nydusd configuration file changes, the new nydusd should use the updated.

nydus-snapshotter is providing the new nydusd config file to nydusd now

@DarkMountain-wyz
Copy link

  1. Nydusd configuration file includes registry auth information, it shouldn't be saved to disk (how to handle live upgrade and failover?).
  2. When the nydusd configuration file changes, the new nydusd should use the updated.
  3. Once the auth subscribed from k8s secret/docker config changes, nydusd also needs to update, in case of using an expired auth.

I am Guijie Wang, and I will complete this part of the work.

@sctb512 sctb512 mentioned this issue Jul 12, 2023
Merged
@changweige
Copy link
Member

When the nydusd configuration file changes, the new nydusd should use the updated.

The already running nydusd should not change its configuration I suppose. The newly created nydusd can use the new nydusd configuration. Otherwise, it's not easy to handle the consistency between nydusd config file and nydusd DB records

Can we only add an interface or credential service to nydus-snapshotter? The credential service can provide auth to nydusd when it requests

@imeoer
Copy link
Collaborator Author

imeoer commented Jul 13, 2023

The already running nydusd should not change its configuration I suppose. The newly created nydusd can use the new nydusd configuration. Otherwise, it's not easy to handle the consistency between nydusd config file and nydusd DB records

Yes, we said "the new nydusd should use the updated.".

Can we only add an interface or credential service to nydus-snapshotter? The credential service can provide auth to nydusd when it requests

The registry credential is the one of wanting to be updated for nydusd, the new nydusd maybe also need the new prefetch configuration, etc. I think we'd better not let nydusd become aware of the credential, it should be handled by the containerd credential plugin with snapshotter in the future, and then nydusd only get the full configuration from snapshotter.

@changweige
Copy link
Member

The already running nydusd should not change its configuration I suppose. The newly created nydusd can use the new nydusd configuration. Otherwise, it's not easy to handle the consistency between nydusd config file and nydusd DB records

Yes, we said "the new nydusd should use the updated.".

Can we only add an interface or credential service to nydus-snapshotter? The credential service can provide auth to nydusd when it requests

The registry credential is the one of wanting to be updated for nydusd, the new nydusd maybe also need the new prefetch configuration, etc. I think we'd better not let nydusd become aware of the credential, it should be handled by the containerd credential plugin with snapshotter in the future, and then nydusd only get the full configuration from snapshotter.

The registry auth ever passed to nydusd might be expired due to the registry configuration. So I suppose we need a way to refresh the auth nydusd is using.

@changweige
Copy link
Member

The already running nydusd should not change its configuration I suppose. The newly created nydusd can use the new nydusd configuration. Otherwise, it's not easy to handle the consistency between nydusd config file and nydusd DB records

Yes, we said "the new nydusd should use the updated.".

Can we only add an interface or credential service to nydus-snapshotter? The credential service can provide auth to nydusd when it requests

The registry credential is the one of wanting to be updated for nydusd, the new nydusd maybe also need the new prefetch configuration, etc. I think we'd better not let nydusd become aware of the credential, it should be handled by the containerd credential plugin with snapshotter in the future, and then nydusd only get the full configuration from snapshotter.

Moreover, I don't think the prefetch configurations have to update for an ever-started nydusd which had finished its prefetch jobs.

@DarkMountain-wyz DarkMountain-wyz mentioned this issue Jul 20, 2023
Closed
6 tasks
@bergwolf
Copy link
Contributor

bergwolf commented Nov 1, 2023

  1. Once the auth subscribed from k8s secret/docker config changes, nydusd also needs to update, in case of using an expired auth.

Can we make nydus-snapshotter to send the updates to nydusd via a (new) nydusd API? Then there is no need for nydusd to connect to snapshotter UDS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bergwolf @imeoer @changweige @DarkMountain-wyz