[Pulp-list] Pulp 2: Docker rsync distributors & Crane

[Simon Baatz]

On Mon, Jun 11, 2018 at 08:25:39AM -0400, Dennis Kliban wrote:
>    On Wed, Jun 6, 2018 at 9:11 AM, Simon Baatz <[1]gmbnomis at gmail.com>
>    ...
> 
>    We did not have a use case for distributing the redirect files. This
>    would be a good feature to add. If you are interested in adding this
>    functionality, you should start by filing a Story on [2]pulp.plan.io.
>    Reply with the issue link here and we can work out the details on the
>    ticket.

I am not sure whether we can contribute this feature (in the end this
depends on the complexity).  As suggested, I created story #3761 (at
[1]) to find out the details and how complex this will be.

>      - The documentation [0] describes authentication for Crane, but this
>        authenticates only the redirects delivered by Crane. When adding
>        basic authentication to the actual content, the Docker daemon will
>        fail. Apparently, it does not add the credentials when following
>      the
>        redirections.
>        Is there a way to enable protection for both the redirections and
>        content? (I know that crane 3.2.0 supports Akamai CDN tokens, but
>        that does not help with a local server.)
> 
>    There is not a way to add content protection for the content itself
>    right now.

We found a possible solution: Basic authentication works for content
if Crane serves the content directly instead of redirecting.  We
found that it is surprisingly simple to let Crane do that.

As Flask supports "X-Sendfile" out of the box, this should be
efficient as well (even more efficient than redirecting.  The client
does not need the additional round-trip for every artifact.)

I think we could post some code soon, which allows to switch
between "redirect" and "local content" mode.  Should we do the same
here and create a story?


[1] https://pulp.plan.io/issues/3761