Page MenuHomePhabricator
Create Task
Maniphest T282824

MW container image build workflow vs docker-registry caching
Closed, ResolvedPublic
Actions

Description

Executive summary

  • There is an HTTP caching proxy that sits in front of docker-registry.wikimedia.org.
  • The MW image build process may update tags.
  • HTTP clients (such as docker) which query the list of tags and/or the manifest for a tag may receive out-of-date information due to the cache.

This document is only concerned with mediawiki core/extension/etc commits merged into “train branches” (e.g. wmf/1.37.0-wmf.4), and commits to operations/mediawiki-config.

Workflow:
A change to mediawiki is merged into a train branch (e.g. wmf/1.37.0-wmf.4):

  1. The merge triggers a single-version image build.
  2. The single-version image will be tagged with the train branch (e.g. wmf-1.37.0-wmf.4) and pushed to the registry, probably updating an existing tag.
  3. The multiversion MW image build process is triggered.

Multiversion MW image build process:

  1. Read wikiversions.json from operations/mediawiki-config
  2. Copy in the contents of each unique single-version image mentioned in wikiversions.json.
  3. Push the constructed multiversion image to the registry with tag production, probably updating an existing tag.

Problem:
Let’s say a multiversion image build containing wmf.3 and wmf.4 has already run in the past (e.g. a few hours ago) and now a change has been backported to wmf.4. The new wmf.4 image is built and pushed to the registry. Now the multiversion build process tries to copy the files from the wmf.4 tagged image. Docker makes an HTTP request to the registry to see if a new image needs to be downloaded. The HTTP proxy sees a URL that it has seen before and returns the cached information which points to the old wmf.4 single-version image. The multiversion build process proceeds using the out-of-date image. Bad.

Possible solutions:

  1. Don’t cache certain accesses to the registry. It looks like https://gerrit.wikimedia.org/r/c/operations/puppet/+/691108 covers this option.
  2. Provide way to invalidate the cache for tags/manifests URLs
  3. Make all registry accesses through docker-registry.discovery.wmnet (suggested by @Joe) instead of docker-registry.wikimedia.org.
    1. Credentials are required for read access to docker-registry.discovery.wmnet
    2. The problem of out-of-date information for offsite read-only access still remains.
  4. Change the image build process so that tags are never reused. This means that the single-image build process will need to communicate new tags to the multi-version build process (since we can’t rely on asking the registry for the list of tags since we might get out-of-date cached info). This should be achievable if the building process is allowed to push and +2 a commit to operations/mediawiki-config.

Details

SubjectRepoBranchLines +/-
Use train-versions.json to map from version to image tagoperations/mediawiki-configmaster+37 -4
Initialize state/train-versions.json filemediawiki/tools/releasemaster+1 -0
Add empty train-versions.jsonoperations/mediawiki-configmaster+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

dancy created this task.May 13 2021, 8:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 13 2021, 8:13 PM
jeena subscribed.May 13 2021, 8:14 PM
dancy triaged this task as High priority.May 13 2021, 9:58 PM
dancy updated the task description. (Show Details)
dancy added a subscriber: Joe.
dancy lowered the priority of this task from High to Low.May 13 2021, 10:11 PM
dancy updated the task description. (Show Details)
Legoktm subscribed.May 13 2021, 10:29 PM

+1 to fixing the general problem, I don't know how much value we get from having ATS/varnish cache image layers vs just having requests pass through. But the fact that :latest tags don't work reliably is mildly annoying, I've run into it with CI images too.

If we want to keep that caching I think triggering purges for those URLs after pushing a new image makes the most sense to me, I guess it would need to be done in docker-pkg and blubber/pipelinelib.

Legoktm added a project: serviceops.May 13 2021, 10:30 PM
Legoktm added a subscriber: JMeybohm.
dancy added a comment.May 13 2021, 10:32 PM
In T282824#7086759, @Legoktm wrote:

If we want to keep that caching I think triggering purges for those URLs after pushing a new image makes the most sense to me, I guess it would need to be done in docker-pkg and blubber/pipelinelib.

We should do it in the registry itself:
https://docs.docker.com/registry/notifications/

Legoktm added a comment.May 13 2021, 10:37 PM

Related: T256762: Fix nginx config and caching for docker registry and maybe also T264209: Run stress tests on docker images infrastructure.

In T282824#7086763, @dancy wrote:
In T282824#7086759, @Legoktm wrote:

If we want to keep that caching I think triggering purges for those URLs after pushing a new image makes the most sense to me, I guess it would need to be done in docker-pkg and blubber/pipelinelib.

We should do it in the registry itself:
https://docs.docker.com/registry/notifications/

Ooh, neat.

dancy raised the priority of this task from Low to High.May 13 2021, 11:32 PM

After changing from docker-registry.wikipedia.org to docker-registry.discovery.wmnet I get the following error during the image build process:

Step 9/19 : COPY --chown=65533:65533 --from=docker-registry.discovery.wmnet/wikimedia/mediawiki:wmf-1.37.0-wmf.4 ["/srv/mediawiki", "/srv/mediawiki/php-1.37.0-wmf.4"]
16:26:21  invalid from flag value docker-registry.discovery.wmnet/wikimedia/mediawiki:wmf-1.37.0-wmf.4: Get https://docker-registry.discovery.wmnet/v2/wikimedia/mediawiki/manifests/wmf-1.37.0-wmf.4: no basic auth credentials

I know /usr/local/bin/docker-pusher handles credentials during pushes but it seems that the same creds need to be made to the docker daemon in general for pulls. Or something.

Legoktm added a comment.May 14 2021, 4:16 AM

But... https://gerrit.wikimedia.org/g/operations/puppet/+/0427f79b9f34a7619661128ac65874a69a2d468d/modules/docker_pusher/templates/docker_config.json.erb uses docker-registry.discovery.wmnet?

Joe added a comment.May 14 2021, 5:29 AM
In T282824#7086896, @dancy wrote:

After changing from docker-registry.wikipedia.org to docker-registry.discovery.wmnet I get the following error during the image build process:

Step 9/19 : COPY --chown=65533:65533 --from=docker-registry.discovery.wmnet/wikimedia/mediawiki:wmf-1.37.0-wmf.4 ["/srv/mediawiki", "/srv/mediawiki/php-1.37.0-wmf.4"]
16:26:21  invalid from flag value docker-registry.discovery.wmnet/wikimedia/mediawiki:wmf-1.37.0-wmf.4: Get https://docker-registry.discovery.wmnet/v2/wikimedia/mediawiki/manifests/wmf-1.37.0-wmf.4: no basic auth credentials

I know /usr/local/bin/docker-pusher handles credentials during pushes but it seems that the same creds need to be made to the docker daemon in general for pulls. Or something.

Yes, you need to use the same credentials you use to push the images. The internal registry is private and thus requires auth for both pulling and uploading.

akosiaris subscribed.May 14 2021, 8:31 AM

The single-version image will be tagged with the train branch (e.g. wmf-1.37.0-wmf.4) and pushed to the registry, probably updating an existing tag.

Or probably not updating an existing tag. Mutable image tags are a huge problem anyway (see the usual rant in https://vsupalov.com/docker-latest-tag/ ). Especially in the case of seemingly well versioned tags, where presumably the barriers more experienced people have built around mutable tags like latest/production etc are being lowered, mutating them is a recipe for a lot of pain (been there, done that, it's a pain)

Push the constructed multiversion image to the registry with tag production, probably updating an existing tag.

While a mutable tag has some uses (e.g. CI always knowing it pulls what's the latest/stable), we should most definitely not use a mutable tag for deployments (unless we want to enter the realm of "did it really update? or not? how do I check?"), which has me begging the question of what a production tag would be used for.

dancy updated the task description. (Show Details)May 14 2021, 2:19 PM
dancy added a comment.May 14 2021, 2:35 PM
In T282824#7087298, @Legoktm wrote:

But... https://gerrit.wikimedia.org/g/operations/puppet/+/0427f79b9f34a7619661128ac65874a69a2d468d/modules/docker_pusher/templates/docker_config.json.erb uses docker-registry.discovery.wmnet?

That config is only used by the docker-pusher script.

dancy updated the task description. (Show Details)May 14 2021, 8:42 PM
gerritbot added a comment.Jun 29 2021, 7:59 PM

Change 702225 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[operations/mediawiki-config@master] Add empty train-versions.json

https://gerrit.wikimedia.org/r/702225

gerritbot added a project: Patch-For-Review.Jun 29 2021, 7:59 PM
gerritbot added a comment.Jun 29 2021, 8:03 PM

Change 702225 merged by jenkins-bot:

[operations/mediawiki-config@master] Add empty train-versions.json

https://gerrit.wikimedia.org/r/702225

Maintenance_bot removed a project: Patch-For-Review.Jun 29 2021, 8:10 PM
Urbanecm mentioned this in T285819: TrainBranchBot merges code to mediawiki-config master branch, causing undeployed code problem.Jun 29 2021, 11:56 PM
Urbanecm added a subtask: T285819: TrainBranchBot merges code to mediawiki-config master branch, causing undeployed code problem.
dancy closed subtask T285819: TrainBranchBot merges code to mediawiki-config master branch, causing undeployed code problem as Resolved.Jun 30 2021, 3:34 PM
gerritbot added a comment.Jun 30 2021, 9:09 PM

Change 702468 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[mediawiki/tools/release@master] Initialize state/train-versions.json file

https://gerrit.wikimedia.org/r/702468

gerritbot added a project: Patch-For-Review.Jun 30 2021, 9:09 PM
gerritbot added a comment.Jul 1 2021, 12:42 AM

Change 702468 merged by jenkins-bot:

[mediawiki/tools/release@master] Initialize state/train-versions.json file

https://gerrit.wikimedia.org/r/702468

Maintenance_bot removed a project: Patch-For-Review.Jul 1 2021, 1:10 AM
gerritbot added a comment.Jul 1 2021, 9:06 PM

Change 702704 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[operations/mediawiki-config@master] Use train-versions.json to map from version to image tag

https://gerrit.wikimedia.org/r/702704

gerritbot added a project: Patch-For-Review.Jul 1 2021, 9:06 PM
gerritbot added a comment.Jul 1 2021, 10:29 PM

Change 702704 merged by jenkins-bot:

[operations/mediawiki-config@master] Use train-versions.json to map from version to image tag

https://gerrit.wikimedia.org/r/702704

Stashbot added a comment.Jul 1 2021, 10:31 PM

Mentioned in SAL (#wikimedia-operations) [2021-07-01T22:31:12Z] <dancy@deploy1002> Synchronized .pipeline: Config: [[gerrit:702704|Use train-versions.json to map from version to image tag (T282824)]] (duration: 00m 57s)

Maintenance_bot removed a project: Patch-For-Review.Jul 1 2021, 11:10 PM
dancy closed this task as Resolved.Jul 2 2021, 4:30 PM
dancy claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL