summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJames E. Blair <jeblair@redhat.com>2019-02-21 13:49:49 -0800
committerJames E. Blair <jeblair@redhat.com>2019-02-21 13:49:49 -0800
commite7a0f0da8b83f59a482240faac7330fea12cfefd (patch)
treef626e815cba90516c46318310f208b20414b16d7
parentc8c439e0d8353b18e5c35f4666320f464521b5f8 (diff)
run-buildset-registry: run a dual registry
The docker registry daemon can either act as a private registry, or as a pull-through proxy, but not both. Yet we need to be able to serve private (speculative buildset) images as well as plain upstream images. Our registry is used as a mirror and requires authentication, therefore docker's normal behavior of falling back on docker.io won't work because it will attempt to use our credentials. However, the registry daemon stores all of its state in the filesystem, therefore we can run two instances of the registry service, both pointing at the same data store. The first acts as a pull-through proxy and will serve whatever files are already in the local storage, or will fetch them from docker.io. The second can be used to upload images into the local storage. To make a long story short, whenever we push into the buildset registry, we will use the second endpoint. Whenever the docker daemon pulls from the buildset registry, it will use the first. Change-Id: I296029068b5ef28ee56543741fe8c8deeefb5dfa
Notes
Notes (review): Code-Review+2: Monty Taylor <mordred@inaugust.com> Code-Review+2: Clark Boylan <cboylan@sapwetik.org> Workflow+1: Clark Boylan <cboylan@sapwetik.org> Code-Review+2: Jeremy Stanley <fungi@yuggoth.org> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Thu, 21 Feb 2019 23:39:29 +0000 Reviewed-on: https://review.openstack.org/638514 Project: openstack-infra/zuul-jobs Branch: refs/heads/master
-rw-r--r--roles/run-buildset-registry/README.rst13
-rw-r--r--roles/run-buildset-registry/tasks/main.yaml24
2 files changed, 34 insertions, 3 deletions
diff --git a/roles/run-buildset-registry/README.rst b/roles/run-buildset-registry/README.rst
index bcd26de..2133cda 100644
--- a/roles/run-buildset-registry/README.rst
+++ b/roles/run-buildset-registry/README.rst
@@ -2,7 +2,10 @@ Runs a docker registry for the use of this buildset.
2 2
3This may be used for a single job running on a single node, or it may 3This may be used for a single job running on a single node, or it may
4be used at the root of a job graph so that multiple jobs running for a 4be used at the root of a job graph so that multiple jobs running for a
5single change can share the registry. 5single change can share the registry. Two registry endpoints are
6provided -- one is a read-only endpoint which acts as a pull-through
7proxy and serves upstream images as well as those which are pushed to
8the registry. The second is intended only for pushing images.
6 9
7**Role Variables** 10**Role Variables**
8 11
@@ -25,6 +28,14 @@ single change can share the registry.
25 28
26 The port on which the registry is listening. 29 The port on which the registry is listening.
27 30
31 .. zuul:rolevar:: push_host
32
33 The host (IP address) to use when pushing images to the registry.
34
35 .. zuul:rolevar:: push_port
36
37 The port to use when pushing images to the registry.
38
28 .. zuul:rolevar:: username 39 .. zuul:rolevar:: username
29 40
30 The username used to access the registry via HTTP basic auth. 41 The username used to access the registry via HTTP basic auth.
diff --git a/roles/run-buildset-registry/tasks/main.yaml b/roles/run-buildset-registry/tasks/main.yaml
index f4cf4fd..fffe2cd 100644
--- a/roles/run-buildset-registry/tasks/main.yaml
+++ b/roles/run-buildset-registry/tasks/main.yaml
@@ -59,9 +59,9 @@
59- name: Decode TLS certificate 59- name: Decode TLS certificate
60 set_fact: 60 set_fact:
61 certificate: "{{ certificate.content | b64decode }}" 61 certificate: "{{ certificate.content | b64decode }}"
62- name: Start a docker registry 62- name: Start a docker proxy
63 docker_container: 63 docker_container:
64 name: buildset_registry 64 name: buildset_proxy
65 image: registry:2 65 image: registry:2
66 state: started 66 state: started
67 restart_policy: always 67 restart_policy: always
@@ -80,11 +80,31 @@
80 - "{{ buildset_registry_root}}/data:/var/lib/registry" 80 - "{{ buildset_registry_root}}/data:/var/lib/registry"
81 - "{{ buildset_registry_root}}/certs:/certs" 81 - "{{ buildset_registry_root}}/certs:/certs"
82 - "{{ buildset_registry_root}}/auth:/auth" 82 - "{{ buildset_registry_root}}/auth:/auth"
83- name: Start a docker registry
84 docker_container:
85 name: buildset_registry
86 image: registry:2
87 state: started
88 restart_policy: always
89 ports:
90 - "5001:5000"
91 env:
92 REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
93 REGISTRY_HTTP_TLS_KEY: /certs/domain.key
94 REGISTRY_AUTH: htpasswd
95 REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
96 REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
97 volumes:
98 - "{{ buildset_registry_root}}/data:/var/lib/registry"
99 - "{{ buildset_registry_root}}/certs:/certs"
100 - "{{ buildset_registry_root}}/auth:/auth"
83- name: Set registry information fact 101- name: Set registry information fact
84 set_fact: 102 set_fact:
85 buildset_registry: 103 buildset_registry:
86 host: "{{ ansible_host }}" 104 host: "{{ ansible_host }}"
87 port: 5000 105 port: 5000
106 push_host: "{{ ansible_host }}"
107 push_port: 5001
88 username: zuul 108 username: zuul
89 password: "{{ registry_password }}" 109 password: "{{ registry_password }}"
90 cert: "{{ certificate }}" 110 cert: "{{ certificate }}"