support insecure registry in configuration reload

[allencloud]

Make docker support more configuration reload, like insecure-registry.

This pr did:

1. add --insecure-registries configuration reload
2. add unit test for --insecure-registries reload
3. update docs about daemon's configuration reload
4. fix bug that 127.0.0.0/8 will be duplicated when it is in daemon.json

fixed #22332

[allencloud]

Any update?

[thaJeztah]

design LGTM

@aaronlehmann @tiborvass wdyt? This keeps the --insecure-registries a daemon-level setting, but allows it to be set on a running daemon, which makes it easier for people to use.

[aaronlehmann]

Yeah, I like the concept. I don't really follow how the code changes work, though. Where does serviceConfig.InsecureRegistries get populated? See newServiceConfig in registry/config.go for how this happens on startup. This gets called by

registryService := registry.NewService(cli.Config.ServiceOptions)

from daemon's start function.

My apologies if I am missing something.

[icecrime]

Moving to code review.

[icecrime]

@aaronlehmann PTAL!

[aaronlehmann]

@icecrime: See my question above.

[yank1]

LGTM

[thaJeztah]

ping @allencloud could you answer @aaronlehmann's question?

[allencloud]

@thaJeztah @icecrime @aaronlehmann
Actually yesterday I compiled the docker binary within this pr, but it does not work for me. I will check more until it works.

[andrask]

Would be better to check multiple entries as the interface supports it.

[thaJeztah]

@allencloud were you still working on this?

[allencloud]

@thaJeztah
Yes, Of source. Actually in the past several days, I am on a business trip. And I will work on it tomorrow.

[thaJeztah]

No problem! Was going through PR's and noticed this one 👍

[pikeszfish]

+1 Any update? My friends.
It's quite a useful PR to me if merged.

[allencloud]

Hi, My friends. PTAL, reloading insecure registry is really important for users to use registries. Really sorry for bothering you. @thaJeztah @aaronlehmann @icecrime @cpuguy83 @LK4D4

[aaronlehmann]

I think there are concurrency issues with writing to the live config struct without locking. It looks like it could race with isSecureIndex.

[thaJeztah]

@allencloud could you address this?

[allencloud]

@thaJeztah @aaronlehmann
Oh, I am afraid race could exist. Since newRepositoryInfo would be called via ResolveRepository, while ResolveRepository would be called via daemon's field RegistryService, like repoInfo, err := daemon.RegistryService.ResolveRepository(ref).
Updated it soon.

[LK4D4]

This looks sorta weird. You should use bytes.Equal or compare the output of (*IPNet).String() I think.

[allencloud]

Definitely. In fact, when I put forward this PR, in api/types/resgistry/registry.go, there is no func (ipnet *NetIPNet) String() string implemented yet. And still separated in engine-api.

While now, I think it is better to use String(). And updated.

[LK4D4]

I'm not sure how it's in other place, but it looks quite bad to ignore errors from Marshal.

[allencloud]

Oh, Great. Thanks for your review. @LK4D4
I will update the PR soon.

[allencloud]

Added the err judging, and add several other places related to this issue.

[allencloud]

Thanks for all your reviews. And I am really sorry for my delay.
Actually now I tried to updated the PR. Please let me know if we make some place better.

PTAL @thaJeztah @aaronlehmann @icecrime @cpuguy83 @LK4D4

[aaronlehmann]

typo: daemom's

[aaronlehmann]

lowercase skip

[aaronlehmann]

I see some other places where there may be concurrency problems:

• newIndexInfo reads config.IndexConfigs without locking
• (*DefaultService).ServiceConfig exposes s.config.ServiceConfig to callers. The callers won't be able to lock s.config while reading from the maps.

[allencloud]

@aaronlehmann
Thanks again for reviews. Concurrency is really important. I updated the PR, PTAL. Thanks.

[aaronlehmann]

This doesn't help. s.config.ServiceConfig is returned by the function, and then it can be read by the caller while being modified by LoadInsecureRegistries.

This function either needs to return a deep copy of ServiceConfig, or be refactored so that callers do not retrieve ServiceConfig directly (i.e. methods to look up items in the maps, which hold locks while doing the lookups).

[allencloud]

Thanks for review @aaronlehmann
I tried the second way. PTAL

[aaronlehmann]

Thanks for making the changes. I think the locking is correct now. But I'm concerned it will be hard to maintain. It's not obvious which functions should acquire the lock and which ones should not. For example isSecureIndex shouldn't acquire the lock because it's called by a function that already has the lock.

It might be better to push all the locking to the methods on DefaultService. Then every exported method that touches s.config will hold the lock. I think this would make the locking scheme clearer.

[allencloud]

@aaronlehmann Thanks a lot for your suggestion.
I tried what you suggestion. And I think it indeed makes the locking scheme clearer.
In addition, to avoid inner call of exported functions, I add some unexported functions like tlsConfig.
PTAL, thanks.

[aaronlehmann]

servConfig.InsecureRegistryCIDRs = append(servConfig.InsecureRegistryCIDRs, s.config.ServiceConfig.InsecureRegistryCIDRs...)

Or allocate servConfig.InsecureRegistryCIDRs with the right size and use copy.

[aaronlehmann]

servConfig.Mirrors = append(servConfig.Mirrors, s.config.ServiceConfig.Mirrors...)

[aaronlehmann]

I know I suggested this, but now I'm not so sure. It means only one search can run at once, for example. And a running search will block calls to other DefaultService methods. I didn't realize that some of these methods are long-running.

I guess the general strategy of locking s.config in every exported method is okay as long as we release the lock before any long-running operation. Not sure if this just an issue for Search, or if it also applies to other methods.

[allencloud]

I think it is my mistake to lock the entire func Search. It will block others.
Now I try to only lock s.config in Search. Like this:

        s.mu.Lock()
    index, err := newIndexInfo(s.config, indexName)
    s.mu.Unlock()

PTAL, thanks @aaronlehmann

[aaronlehmann]

LGTM

@dmcgowan @LK4D4 Could you please review as well?

My main concern with this one is getting the locking correct. It's been through a few passes and I think it's correct now (thanks @allencloud for sticking with it). There are some cases where the lock could be held for an extended period, for example isSecureIndex appears to do a hostname lookup. I don't expect this would be a big deal in practice, but I'm curious what other people think.

[LK4D4]

LGTM

[thaJeztah]

Yay! Thanks @allencloud!

[allencloud]

🤗 Thanks for all of your help and guide.

[fsword]

Thanks for the pr, but it cannot do the thing well on docker for Mac. The gui app just has apple&restart button and not reload button here.

[thaJeztah]

@fsword this PR will be in docker 1.13, so isn't available yet; also, for enhancements for the docker for mac ui, please use https://github.com/docker/for-mac/issues