Container registry JWT expires too quickly for uploading large layers
The container registry JWT expiration of 60 seconds makes it impossible to push large image layers. If the upload of any layer takes longer than the lifetime of the token, the push will keep retrying that layer until eventually failing with the message unauthorized: authentication required
.
The registry log shows the token being expired:
2016-05-25_21:25:38.21289 127.0.0.1 - - [25/May/2016:16:25:37 -0500] "POST /v2/<project>/blobs/uploads/ HTTP/1.0" 202 0 "" "docker/1.11.1 go/go1.5.4 git-commit/5604cbe kernel/3.13.0-44-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.1 \\(linux\\))"
2016-05-25_21:27:56.67274 time="2016-05-25T16:27:56.67271054-05:00" level=error msg="token not to be used before 1464211528 or after 1464211593 - currently 1464211676"
2016-05-25_21:27:56.67311 time="2016-05-25T16:27:56.673073077-05:00" level=warning msg="error authorizing context: invalid token" environment=production go.version=go1.5.4 http.request.host=<host> http.request.id=d8e680da-efeb-4138-a449-2a067ad12c36 http.request.method=PATCH http.request.remoteaddr=10.0.102.185 http.request.uri="/v2/<project>/blobs/uploads/79af46e5-cf36-4a9a-9e65-9ded8ed865bf?_state=-FRzl77_ORRMVG_yEvaIhvYykiGxRQlBbEr4s21EsNx7Ik5hbWUiOiJkb2NrZXIvY2F0cy1jaS1ydW5uZXIiLCJVVUlEIjoiNzlhZjQ2ZTUtY2YzNi00YTlhLTllNjUtOWRlZDhlZDg2NWJmIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDE2LTA1LTI1VDIxOjI1OjM3LjYyMjYwMDg0WiJ9" http.request.useragent="docker/1.11.1 go/go1.5.4 git-commit/5604cbe kernel/3.13.0-44-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.1 \\(linux\\))" instance.id=4893ae7a-5e3a-4a71-83b9-4ca60d5ed10c service=registry vars.name="<project>" vars.uuid=79af46e5-cf36-4a9a-9e65-9ded8ed865bf version=v2.4.0
To test, I changed the line https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/json_web_token/token.rb#L12 to read:
@expire_time = issued_at + 10.minutes
Then tried pushing an image that was failing, and it succeeded.
Could the expiration time be a configuration option, or maybe just increased to a longer default?