registry: defaultService: use sync.RWMutex

Most operations only require read access, so change this to use an RWMutex, and some minor refactoring in lookupV2Endpoints() so that we are not constructing tlsconfig multiple times in some cases. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-09 12:21:53 -05:00 · 2022-02-26 14:52:12 +01:00 · 2022-02-26 14:52:12 +01:00 · dae2173568
commit dae2173568
parent 9cb0aa4c91
3 changed files with 20 additions and 25 deletions
--- a/registry/registry.go
+++ b/registry/registry.go
@ -20,6 +20,7 @@ func HostCertsDir(hostname string) string {
 	return filepath.Join(CertsDir(), cleanPath(hostname))
 }

+// newTLSConfig constructs a client TLS configuration based on server defaults
 func newTLSConfig(hostname string, isSecure bool) (*tls.Config, error) {
 	// PreferredServerCipherSuites should have no effect
 	tlsConfig := tlsconfig.ServerDefault()
--- a/registry/service.go
+++ b/registry/service.go
@ -39,7 +39,7 @@ type Service interface {
 // of mirrors.
 type defaultService struct {
 	config *serviceConfig
-	mu     sync.Mutex
+	mu     sync.RWMutex
 }

 // NewService returns a new instance of defaultService ready to be
@ -52,8 +52,8 @@ func NewService(options ServiceOptions) (Service, error) {

 // ServiceConfig returns the public registry service configuration.
 func (s *defaultService) ServiceConfig() *registry.ServiceConfig {
-	s.mu.Lock()
-	defer s.mu.Unlock()
+	s.mu.RLock()
+	defer s.mu.RUnlock()

 	servConfig := registry.ServiceConfig{
 		AllowNondistributableArtifactsCIDRs:     make([]*(registry.NetIPNet), 0),
@ -167,9 +167,9 @@ func (s *defaultService) Search(ctx context.Context, term string, limit int, aut
 	indexName, remoteName := splitReposSearchTerm(term)

 	// Search is a long-running operation, just lock s.config to avoid block others.
-	s.mu.Lock()
+	s.mu.RLock()
 	index, err := newIndexInfo(s.config, indexName)
-	s.mu.Unlock()
+	s.mu.RUnlock()

 	if err != nil {
 		return nil, err
@ -226,8 +226,8 @@ func (s *defaultService) Search(ctx context.Context, term string, limit int, aut
 // ResolveRepository splits a repository name into its components
 // and configuration of the associated registry.
 func (s *defaultService) ResolveRepository(name reference.Named) (*RepositoryInfo, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
+	s.mu.RLock()
+	defer s.mu.RUnlock()
 	return newRepositoryInfo(s.config, name)
 }

@ -244,22 +244,18 @@ type APIEndpoint struct {

 // TLSConfig constructs a client TLS configuration based on server defaults
 func (s *defaultService) TLSConfig(hostname string) (*tls.Config, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
+	s.mu.RLock()
+	secure := isSecureIndex(s.config, hostname)
+	s.mu.RUnlock()

-	return s.tlsConfig(hostname)
-}
-
-// tlsConfig constructs a client TLS configuration based on server defaults
-func (s *defaultService) tlsConfig(hostname string) (*tls.Config, error) {
-	return newTLSConfig(hostname, isSecureIndex(s.config, hostname))
+	return newTLSConfig(hostname, secure)
 }

 // LookupPullEndpoints creates a list of v2 endpoints to try to pull from, in order of preference.
 // It gives preference to mirrors over the actual registry, and HTTPS over plain HTTP.
 func (s *defaultService) LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
+	s.mu.RLock()
+	defer s.mu.RUnlock()

 	return s.lookupV2Endpoints(hostname)
 }
@ -267,8 +263,8 @@ func (s *defaultService) LookupPullEndpoints(hostname string) (endpoints []APIEn
 // LookupPushEndpoints creates a list of v2 endpoints to try to push to, in order of preference.
 // It gives preference to HTTPS over plain HTTP. Mirrors are not included.
 func (s *defaultService) LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
+	s.mu.RLock()
+	defer s.mu.RUnlock()

 	allEndpoints, err := s.lookupV2Endpoints(hostname)
 	if err == nil {
--- a/registry/service_v2.go
+++ b/registry/service_v2.go
@ -8,7 +8,6 @@ import (
 )

 func (s *defaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndpoint, err error) {
-	tlsConfig := tlsconfig.ServerDefault()
 	if hostname == DefaultNamespace || hostname == IndexHostname {
 		for _, mirror := range s.config.Mirrors {
 			if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") {
@ -18,7 +17,7 @@ func (s *defaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp
 			if err != nil {
 				return nil, invalidParam(err)
 			}
-			mirrorTLSConfig, err := s.tlsConfig(mirrorURL.Host)
+			mirrorTLSConfig, err := newTLSConfig(mirrorURL.Host, isSecureIndex(s.config, mirrorURL.Host))
 			if err != nil {
 				return nil, err
 			}
@ -35,19 +34,18 @@ func (s *defaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp
 			Version:      APIVersion2,
 			Official:     true,
 			TrimHostname: true,
-			TLSConfig:    tlsConfig,
+			TLSConfig:    tlsconfig.ServerDefault(),
 		})

 		return endpoints, nil
 	}

-	ana := allowNondistributableArtifacts(s.config, hostname)
-
-	tlsConfig, err = s.tlsConfig(hostname)
+	tlsConfig, err := newTLSConfig(hostname, isSecureIndex(s.config, hostname))
 	if err != nil {
 		return nil, err
 	}

+	ana := allowNondistributableArtifacts(s.config, hostname)
 	endpoints = []APIEndpoint{
 		{
 			URL: &url.URL{