New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify sigs and attestations in parallel #3066
Conversation
This should significantly speed up verification time for images that have a lot of signature or attestations. Signed-off-by: Priya Wadhwa <priya@chainguard.dev>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice
Codecov Report
@@ Coverage Diff @@
## main #3066 +/- ##
==========================================
- Coverage 30.84% 30.72% -0.12%
==========================================
Files 155 155
Lines 9726 9763 +37
==========================================
Hits 3000 3000
- Misses 6275 6312 +37
Partials 451 451
|
Signed-off-by: Priya Wadhwa <priya@chainguard.dev>
var wg sync.WaitGroup | ||
|
||
for i, sig := range sl { | ||
wg.Add(1) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here as below.
var wg sync.WaitGroup | ||
|
||
for i, att := range sl { | ||
wg.Add(1) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I seem to recall (maybe I'm forgetting some details and have something wrong), but for loops where you're then launching go funcs, you needed to make a local copy, so something like this:
for i, att := range sl {
i := i
att := att
wg.Add(1)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah yah i've seen that before! i think that passing in the values to the go function, like go func(att oci.Signature, index int)
, copies the values as well and accomplishes the same thing
I looked into it just to make sure i hadn't mixed up different things and this post says you can do it either way :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lol, yeah, thanks for looking. I couldn't recall all the details, but remember there be dragons!!
It might be worth capping the parallelism here, possibly even making it configurable. If I have 1000 signatures on an image, this will unleash 1000 concurrent requests to the registry, which will not be fun for anybody. 😓 Instead, we can spin up N concurrent workers, and feed them verification tasks:
You can wrap this up in |
should we also have a flag to set the number of workers in case someone needs to configure to a higher or lower number? @priyawadhwa are you working on this? otherwise I am happy to do |
@cpanato go for it, I haven't started yet! i think a flag would be great. We can wait to get the flag merged before we release 2.1.0 |
ok, will do that tomorrow my morning |
This should significantly speed up verification time for images that have a lot of signature or attestations.