Make libpod return error status code on failure to pull image#28109
Make libpod return error status code on failure to pull image#28109mheon merged 1 commit intocontainers:mainfrom
Conversation
github-actions
bot
added
the
kind/api-change
simonbrauner
force-pushed
the
issue-22105
branch
from
2e2ab04 to
8a0af91
Compare
|
[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore. |
simonbrauner
force-pushed
the
issue-22105
branch
from
8a0af91 to
b6b8e68
Compare
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
I didn’t carefully re-read the full function, but at a glance, this looks pretty good.
(As discussed, we should probably start streaming after some timeout.)
simonbrauner
force-pushed
the
issue-22105
branch
9 times, most recently
from
e56c699 to
cb866ac
Compare
Honny1
left a comment
Honny1
left a comment
There was a problem hiding this comment.
My only comment is about the specific section that I believe is causing the CI to fail. This could be solved by either adapting the client to accept multiple reports in a single response or by just sending one report per response (less breaking change). Also, it should be documented that the response contains multiple JSON objects.
simonbrauner
force-pushed
the
issue-22105
branch
9 times, most recently
from
bd69b6b to
44cdac1
Compare
It should be fixed now |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
ACK overall, just a bunch of comments to simplify future maintenance.
But I’d like the formal LGTM to be from someone familiar with the swagger documentation / tooling.
| images, err := runtime.LibimageRuntime().Pull(r.Context(), query.Reference, pullPolicy, pullOptions) | ||
| var report entities.ImagePullReport | ||
| if err != nil { | ||
| report.Error = err.Error() |
There was a problem hiding this comment.
I suppose this is technically an API break. API experts, is that OK?
There was a problem hiding this comment.
With 6.0, yes, I am fine with this sort of thing.
| flush() | ||
| case <-runCtx.Done(): | ||
| if !streamingStarted && pullError != nil { | ||
| utils.Error(w, utils.HTTPStatusFromRegistryError(pullError), pullError) |
There was a problem hiding this comment.
I suppose this is technically an API break. API experts, is that OK?
There was a problem hiding this comment.
I think that should be fine. AFAICT the podman-remote client should be able to handle that error at least and generally speaking all clients should handle any http status error already as well as it could have failed for other reasons so I would consider this a bug fix
simonbrauner
force-pushed
the
issue-22105
branch
9 times, most recently
from
587451e to
6abee77
Compare
|
@mtrmac I addressed your comments, except for those about API break |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
ACK, still
I’d like the formal LGTM to be from someone familiar with the swagger documentation / tooling.
simonbrauner
force-pushed
the
issue-22105
branch
from
6abee77 to
e22fbbb
Compare
Podman part of the functionality implemented in containers/podman#28109 Fixes: containers#301 Signed-off-by: Šimon Brauner <sbrauner@redhat.com>
pkg/api/server/register_images.go
Outdated
| // - images | ||
| // summary: Pull images | ||
| // description: Pull one or more images from a container registry. | ||
| // description: Pull one or more images from a container registry. Error status codes can come either from the API or from the registry. |
There was a problem hiding this comment.
I would also inform users that if an error occurs mid-pull, the HTTP status code will be 200, and the error will be detailed in the report's error field.
There was a problem hiding this comment.
It is in the description of the response now, do you think it would be better to move it to the main description?
There was a problem hiding this comment.
I would put that in both places, or just not mention the error codes in the description at all, since it currently only covers one potential error path.
I think it's obvious from the error codes that 401, 403, and 404 are from the repository, not errors caused by the Podman pulling logic. Maybe this could be stated more clearly in the description of each error code.
There was a problem hiding this comment.
I think it's obvious from the error codes that 401, 403, and 404 are from the repository
The difficulty here is that pull registry.example/nonexistentrepo reports 404 in some registries, and 401 in others (under the theory that there might be a private repo that the user is not allowed to see, and returning 404 would disclose that information — so always returning 401 is more secure).
There was a problem hiding this comment.
I think instead of listing every possible error code, we could use a wildcard to indicate that any other error codes returned by the repository will be propagated to the client.
For example:
responses:
'200':
description: OK
'400':
description: Bad Request (explicitly handled)
default:
description: Unexpected Error (This propagates any other repository errors)
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorModel'There was a problem hiding this comment.
I think, ideally, we would add registry-specific heuristics (where possible, sometimes registries intentionally hide information) and allow ~reliable detection of “repository is missing” and other error kinds. In that sense, promising to propagate raw registry status is not ideal either.
Pragmatically, I’m not sure how much that matters, because the HTTP statuses (and even more registry error codes) are simply unreliable across the registry ecosystem; so users need to rely on integration tests anyway, regardless of what we document.
There was a problem hiding this comment.
There is the version with default now, is that fine? or would it better to switch back to the explicit 401/403/404?
Podman part of the functionality implemented in containers/podman#28109 Fixes: containers#301 Signed-off-by: Šimon Brauner <sbrauner@redhat.com>
Podman part of the functionality implemented in containers/podman#28109 Fixes: containers#301 Signed-off-by: Šimon Brauner <sbrauner@redhat.com>
Podman part of the functionality implemented in containers/podman#28109 Fixes: containers#301 Signed-off-by: Šimon Brauner <sbrauner@redhat.com>
simonbrauner
force-pushed
the
issue-22105
branch
from
e22fbbb to
175a0b7
Compare
Podman part of the functionality implemented in containers/podman#28109 Fixes: containers#301 Signed-off-by: Šimon Brauner <sbrauner@redhat.com>
simonbrauner
force-pushed
the
issue-22105
branch
from
175a0b7 to
7ae3430
Compare
simonbrauner
force-pushed
the
issue-22105
branch
from
7ae3430 to
26548af
Compare
|
LGTM, PTAL @containers/podman-maintainers final review and merge. |
Fixes: containers#22105 Signed-off-by: Šimon Brauner <sbrauner@redhat.com>
simonbrauner
force-pushed
the
issue-22105
branch
from
26548af to
76095db
Compare
|
LGTM |
6 participants
Checklist
Ensure you have completed the following checklist for your pull request to be reviewed:
commits. (
git commit -s). (If needed, usegit commit -s --amend). The author email must matchthe sign-off email address. See CONTRIBUTING.md
for more information.
Fixes: #00000in commit message (if applicable)make validatepr(format/lint checks)Noneif no user-facing changes)Does this PR introduce a user-facing change?