Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discuss about how to check mirror registry health #765

Closed
changweige opened this issue Sep 29, 2022 · 5 comments
Closed

Discuss about how to check mirror registry health #765

changweige opened this issue Sep 29, 2022 · 5 comments

Comments

@changweige
Copy link
Contributor

Nydus has merged two features about deeply integrating nydusd with Dragonfly

  • use Dragonfly as a pull-through cache a.k.a mirror registry
  • work with Dragonfly as HTTP proxy useHTTPS accessing HTTPS registry with the capability to fallback to the original HTTPS registry.

For Dragonfly mirror mode, nydusd will continue to pull blob data from the next mirror if the current mirror fails, but there is no mechanism to recover access to the previously failed mirror.

To solve this, I can think of two methods:

  1. add a health check endpoint to dragonfly
  2. periodically get repo tags. If nydusd can successfully get repo tags from the failed mirror, it is treated recovered.
@changweige
Copy link
Contributor Author

Referring to this discussion, it seems that there is a standard HTTP endpoint in distribution spec to check registry health
distribution/distribution#629

@changweige
Copy link
Contributor Author

This might be the correct way

A properly secured registry should return 401 when the "/v2/" endpoint is hit
without credentials. The response should include a WWW-Authenticate
challenge, providing guidance on how to authenticate, such as with basic auth
or a token service. If the load balancer has health checks, it is recommended
to configure it to consider a 401 response as healthy and any others as down.
This will secure your registry by ensuring that configuration problems with
authentication don't accidentally expose an unprotected registry. If you're
using a less sophisticated load balancer, such as Amazon's Elastic Load
Balancer, that doesn't allow one to change the healthy response code, health
checks can be directed at "/", which will always return a 200 OK response.

@imeoer
Copy link
Collaborator

imeoer commented Oct 14, 2022

This might be the correct way

Should also ensure that all registry providers (harbor, ghcr, docker hub, acr...) have implemented the same behavior.

@changweige
Copy link
Contributor Author

This might be the correct way

Should also ensure that all registry providers (harbor, ghcr, docker hub, acr...) have implemented the same behavior.

It comes from OCI distribution spec, and looks very reliable.https://github.com/distribution/distribution/blob/main/docs/deploying.md#importantrequired-http-headers

@sctb512 sctb512 mentioned this issue Oct 18, 2022
Merged
@changweige
Copy link
Contributor Author

The checker code has been merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@imeoer @changweige