Merge pull request #2889 from linxiulei/isolated_content

metadata: define content sharing policy
2019-01-14 13:15:38 -08:00
parent adfaa697a8 4247f2684d
commit 8706a355dd
7 changed files with 221 additions and 20 deletions
--- a/docs/ops.md
+++ b/docs/ops.md
@@ -220,3 +220,21 @@ The linux runtime allows a few options to be set to configure the shim and the r
 	# (this only need to be set on kernel < 3.18)
 	shim_no_newns = true
 ```
+
+### Bolt Metadata Plugin
+
+The bolt metadata plugin allows configuration of the content sharing policy between namespaces.
+
+The default mode "shared" will make blobs available in all namespaces once it is pulled into any namespace.
+The blob will be pulled into the namespace if a writer is opened with the "Expected" digest that is already present in the backend.
+
+The alternative mode, "isolated" requires that clients prove they have access to the content by providing all of the content to the ingest before the blob is added to the namespace.
+
+Both modes share backing data, while "shared" will reduce total bandwidth across namespaces, at the cost of allowing access to any blob just by knowing its digest.
+
+The default is "shared". While this is largely the most desired policy, one can change to "isolated" mode with the following configuration:
+
+```toml
+[plugins.bolt]
+	content_sharing_policy = "isolated"
+```