job_hooks: add implicit constraint when using OCI containers #18162
Conversation
There was a problem hiding this comment.
Hi @Elara6331! I was doing some Friday afternoon mop-up and noticed we never reviewed this PR. Sorry about that.
Unfortunately I'm also fairly certain we can't accept this PR from a design standpoint. I've left a comment below getting into the details of why. I think we'd be open to other approaches that don't have those downsides though.
| } else if desc.MediaType.IsImage() { | ||
| img, err := remote.Image(ref, remote.WithAuthFromKeychain(authn.DefaultKeychain)) |
There was a problem hiding this comment.
It looks to me like we're having the Nomad server authenticate to a remote registry during job submission here? Nomad servers are not typically going to be configured with registry credentials at all, because they don't run workloads themselves.
The approach we're taking here would make it mandatory that all users of Nomad who are using Docker/Podman drivers deploy credentials to their Nomad control plane before upgrading, and have a network topology that allows their control plane access to the registry (which isn't necessarily the case). And it would make all Nomad servers dependent on third-party registries at the time of job submission, which I don't think we can accept as a tradeoff.
|
For the reasons I've described above, I'm going to close this out. But again, if there's another approach that would work within the constraints we have, we'd certainly be open to discussing it (probably best to open an issue for that discussion). |
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
This PR adds an implicit constraint for the OS and architecture to a task if it uses a driver that uses OCI container images, such as
dockerandpodman.Fixes #18082