Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Notation as a background process #733

Open
jimmychen92 opened this issue Jul 6, 2023 · 2 comments
Open

Make Notation as a background process #733

jimmychen92 opened this issue Jul 6, 2023 · 2 comments
Labels
enhancement New feature or request
Milestone
Future

Comments

@jimmychen92
Copy link

Is your feature request related to a problem?

One of the challenges we face in our enterprise scenarios is signing and verifying numerous artifacts from various container registries. This can become a CPU intensive operation when we run multiple Notation CLI commands in parallel.

This problem stems from the fact that each CLI command creates a new process, which consumes a significant amount of CPU and memory resources.

What solution do you propose?

My suggestion is to create a Notation service executable that can run as a background process and listen to a network port.

The caller can use http-based IPC to request signing and validating operations on artifacts.

This approach will reduce resource consumption, as there will be only one process handling all sign and verify requests.

What alternatives have you considered?

One possible solution is to package the Notation CLI executable on the host machine and invoke the CLI command from our service.

However, this solution has a scalability issue. According to my benchmark, it can consume all the CPU resources of the host machine when there are more than 50 notation sign and verify operations. Therefore, it is not suitable for handling a large number of artifacts.

Any additional context?

No response
@jimmychen92 jimmychen92 added enhancement New feature or request triage Need to triage labels Jul 6, 2023
@yizha1 yizha1 added this to the Discuss milestone Jul 11, 2023
@yizha1 yizha1 removed the triage Need to triage label Jul 11, 2023
@priteshbandi
Copy link
Contributor

priteshbandi commented Jul 11, 2023
edited
Loading

Making notation just a thin cli wrapper for notation-go and then your server/service code can take dependency directly on notation-go to sign and verify signature. This way notation will run as part of your service process with cpu minimal footprint. We will need to investigate current state but it shouldn't be very far from ideal but I am expecting there would be some work required.

There is one more elephant in the room, notation plugin which run's as separate process. I think here we can refactor notation-go to allow registration of plugin as library/go-object (most of this work is there but we might need to polish the interface and iron out any quirks) and now if plugin code is opensource, you can directly use plugin as library and then plugin will also run as part of your service process.

TLDR; I recommend we refactor notation-go to allow consumers to take direct dependency and also, enable plugin as library instead of executable support.

cc:/ @shizhMSFT @patrickzheng200 @iamsamirzon

@shizhMSFT
Copy link
Contributor

Notation plugin is a blocking issue even if we make notation CLI a background process.

A suggested workaround would be implementing a daemon process on top of notation-go with plugins integrated natively.

@yizha1 yizha1 modified the milestones: Discuss, Future Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Notary Project Planning Board
Status: Todo
Milestone
Future
Development

No branches or pull requests
4 participants
@priteshbandi @shizhMSFT @jimmychen92 @yizha1