to help customers detect and solve errors, we specifically report
metrics on a few filesystem specific errors.
we have seen customers configure the registry with a read-only
filesystem without noticing until it's too late. more specifically, when
using the registry only as a pull-through cache, a read-only filesystem
will be imperceptible to clients unless the upstream registry
experiences an outage, then it'll be too late to fix the cache.
the file too large (EFBIG) and device out of space (ENOSPC) errors were
added just in case. there have not been (so far) reports of customers
silently running into this errors on their PVCs.
With AUTH-509 the ability for the unauthenticated group to do
selfsubjectacessreviews (ssar) has been removed. In case that the ssar
fails, we attempt a subjectaccessreview for system:anonymous or the
system:unauthenticated group.
distribution/distribution#3683 made the router global.
this broke all our pullthrough tests.
since TestBlobDescriptorServiceIsApplied was the only one using the
router it was easier to remove that from our code than to introduce the
router host call to every failing test.
distribution/distribution#3683 made the router global.
this broke all our pullthrough tests.
since TestBlobDescriptorServiceIsApplied was the only one using the
router it was easier to remove that from our code than to introduce the
router host call to every failing test.
to support manifest lists and oci image indexes, push by digest support
is required.
when a client pushes a manifest list, they will first push each
sub-manifest and its blobs, then finally push the manifest list.
a connection between an image and an image stream is represented via
image stream tags. an image which represents a sub-manifest of a
manifest list is however not directly connected to an image stream, and
it doesn't have an image stream tag.
because of this lack of image stream tag for images representing
sub-manifests of a manifest list, the registry needs to perform a
different action when faced with a push by digest. instead of creating
an image stream mapping between the image stream and the image, it will
simply create an image object for the sub-manifest.
SubjectAccessReview can be in one of three states: allowed, denied, and
no opinion. Also it has the additional field EvaluationError that can
indicate that some error occurred. The registry should log this
information.
