diff --git a/roles/pull-from-intermediate-registry/tasks/main.yaml b/roles/pull-from-intermediate-registry/tasks/main.yaml index 4623a634b..56a5cf9e5 100644 --- a/roles/pull-from-intermediate-registry/tasks/main.yaml +++ b/roles/pull-from-intermediate-registry/tasks/main.yaml @@ -74,13 +74,18 @@ mode: 0600 # Pull the images + +# To support usage with both docker and podman, the buildset registry +# keeps "docker.io" entries un-namespaced, and any other namespaces +# are namespaced. Therefore, if we see docker.io in the repository +# name, we strip it here. - name: Pull artifacts from intermediate registry block: - name: Pull artifacts from intermediate registry command: >- skopeo --insecure-policy copy {{ item.url }} - docker://127.0.0.1:{{ socat_port }}/{{ item.metadata.repository }}:{{ item.metadata.tag }} + docker://127.0.0.1:{{ socat_port }}/{{ item.metadata.repository | regex_replace('^docker\.io/(.*)', '\1') }}:{{ item.metadata.tag }} retries: 3 register: result until: result is success diff --git a/roles/push-to-intermediate-registry/tasks/push-image.yaml b/roles/push-to-intermediate-registry/tasks/push-image.yaml index 44f76a5ed..c2bc3071c 100644 --- a/roles/push-to-intermediate-registry/tasks/push-image.yaml +++ b/roles/push-to-intermediate-registry/tasks/push-image.yaml @@ -1,7 +1,11 @@ +# To support usage with both docker and podman, the buildset registry +# keeps "docker.io" entries un-namespaced, and any other namespaces +# are namespaced. Therefore, if we see docker.io in the repository +# name, we strip it here. - name: Push tag to intermediate registry command: >- skopeo --insecure-policy copy - docker://127.0.0.1:{{ socat_port }}/{{ image.repository }}:{{ image_tag }} + docker://127.0.0.1:{{ socat_port }}/{{ image.repository | regex_replace('^docker\.io/(.*)', '\1') }}:{{ image_tag }} docker://{{ intermediate_registry.host | ipwrap }}:{{ intermediate_registry.port }}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }} retries: 3 register: result diff --git a/roles/run-buildset-registry/README.rst b/roles/run-buildset-registry/README.rst index 77262c12c..4f9f91b54 100644 --- a/roles/run-buildset-registry/README.rst +++ b/roles/run-buildset-registry/README.rst @@ -1,4 +1,4 @@ -Runs a docker registry for the use of this buildset. +Runs a container registry for the use of this buildset. This may be used for a single job running on a single node, or it may be used at the root of a job graph so that multiple jobs running for a @@ -16,6 +16,12 @@ single change can share the registry. The port on which the registry should listen. +.. zuul:rolevar:: container_command + :default: docker + + The command to use to run the registry container (E.g., ``podman``). + + **Return Values** .. zuul:rolevar:: buildset_registry diff --git a/roles/run-buildset-registry/defaults/main.yaml b/roles/run-buildset-registry/defaults/main.yaml index 407c74787..7c24e657c 100644 --- a/roles/run-buildset-registry/defaults/main.yaml +++ b/roles/run-buildset-registry/defaults/main.yaml @@ -1,2 +1,3 @@ buildset_registry_root: "{{ ansible_user_dir }}/buildset_registry" buildset_registry_port: 5000 +container_command: docker diff --git a/roles/run-buildset-registry/tasks/main.yaml b/roles/run-buildset-registry/tasks/main.yaml index ecbbccce5..c003eec49 100644 --- a/roles/run-buildset-registry/tasks/main.yaml +++ b/roles/run-buildset-registry/tasks/main.yaml @@ -2,7 +2,6 @@ become: yes package: name: - - python-docker - openssl - python-passlib state: present @@ -11,7 +10,6 @@ become: yes package: name: - - python3-docker - openssl - python3-passlib state: present @@ -41,16 +39,14 @@ set_fact: certificate: "{{ certificate.content | b64decode }}" - name: Start the buildset registry - docker_container: - name: "{{ (buildset_registry_port == 5000) | ternary('buildset_registry', 'buildset_registry_' + buildset_registry_port|string) }}" - image: zuul/zuul-registry:latest - state: started - restart_policy: always - ports: - - "{{ buildset_registry_port }}:5000" - volumes: - - "{{ buildset_registry_root }}/tls:/tls" - - "{{ buildset_registry_root }}/conf:/conf" + command: >- + {{ container_command }} run -d + --name="{{ (buildset_registry_port == 5000) | ternary('buildset_registry', 'buildset_registry_' + buildset_registry_port|string) }}" + --restart=always + --publish="{{ buildset_registry_port }}:5000" + --volume="{{ buildset_registry_root }}/tls:/tls" + --volume="{{ buildset_registry_root }}/conf:/conf" + docker.io/zuul/zuul-registry:latest - name: Set registry information fact set_fact: buildset_registry: diff --git a/roles/use-buildset-registry/__init__.py b/roles/use-buildset-registry/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/roles/use-buildset-registry/library/__init__.py b/roles/use-buildset-registry/library/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/roles/use-buildset-registry/library/modify_registries_conf.py b/roles/use-buildset-registry/library/modify_registries_conf.py new file mode 100644 index 000000000..8697f8ff4 --- /dev/null +++ b/roles/use-buildset-registry/library/modify_registries_conf.py @@ -0,0 +1,76 @@ +# Copyright 2019 Red Hat, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import os + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils import remarshal + + +def get_location(prefix, location): + # To support usage with both docker and podman, the buildset + # registry keeps "docker.io" entries un-namespaced. + if prefix == 'docker.io': + return location + else: + return location + '/' + prefix + + +def ansible_main(): + module = AnsibleModule( + argument_spec=dict( + path=dict(required=True, type='path'), + buildset_registry=dict(type='raw'), + namespaces=dict(type='raw'), + ) + ) + p = module.params + location = '%s:%s' % (p['buildset_registry']['host'], + p['buildset_registry']['port']) + + if os.path.exists(p['path']): + with open(p['path'], 'rb') as f: + input_data = f.read() + data = remarshal.decode('toml', input_data, True) + else: + data = {} + + unseen = set(p['namespaces']) + if 'registry' not in data: + data['registry'] = [] + for reg in data['registry']: + if reg['prefix'] in unseen: + unseen.remove(reg['prefix']) + else: + continue + mirrors = reg.setdefault('mirror', []) + mirrors.insert(0, { + 'location': get_location(reg['prefix'], location)}) + for prefix in unseen: + mirrors = [{'location': get_location(prefix, location)}, + {'location': prefix}] + reg = {'prefix': prefix, + 'location': prefix, + 'mirror': mirrors} + data['registry'].append(reg) + + output_data = remarshal.encode_toml(data, True) + with open(p['path'], 'wb') as f: + f.write(output_data.encode('utf8')) + + module.exit_json(changed=True, data=data) + + +if __name__ == '__main__': + ansible_main() diff --git a/roles/use-buildset-registry/tasks/main.yaml b/roles/use-buildset-registry/tasks/main.yaml index 12ee2ac4e..74719a1ab 100644 --- a/roles/use-buildset-registry/tasks/main.yaml +++ b/roles/use-buildset-registry/tasks/main.yaml @@ -23,16 +23,14 @@ file: state: directory path: /etc/docker -- name: Ensure buildset registry cert directory exists - become: true - file: - path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/" - state: directory - name: Write buildset registry TLS certificate become: true copy: content: "{{ buildset_registry.cert }}" - dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt" + dest: "/usr/local/share/ca-certificates/buildset-registry.crt" +- name: Update CA certs + command: update-ca-certificates + become: true # Update daemon config - name: Check if docker daemon configuration exists @@ -73,6 +71,21 @@ register: docker_restart failed_when: docker_restart is failed and not 'Could not find the requested service' in docker_restart.msg +- name: Ensure containers directory exists + become: yes + file: + state: directory + path: /etc/containers +- name: Modify registries.conf + become: yes + modify_registries_conf: + path: /etc/containers/registries.conf + buildset_registry: "{{ buildset_registry }}" + namespaces: + - docker.io + - quay.io + - gcr.io + # We use 'block' here to cause the become to apply to all the tasks # (which does not automatically happen with include_tasks). - name: Update docker user config to use buildset registry diff --git a/roles/use-buildset-registry/tasks/user-config.yaml b/roles/use-buildset-registry/tasks/user-config.yaml index 7aff92d4a..238262fd5 100644 --- a/roles/use-buildset-registry/tasks/user-config.yaml +++ b/roles/use-buildset-registry/tasks/user-config.yaml @@ -37,6 +37,10 @@ content: "{{ docker_config | to_nice_json }}" dest: "~/.docker/config.json" mode: 0600 +- name: Write containers auth configuration + copy: + content: "{{ docker_config | to_nice_json }}" + dest: "/run/user/{{ ansible_user_uid }}/auth.json" - name: Check if /var/lib/kubelet exists stat: path: /var/lib/kubelet diff --git a/test-playbooks/registry/docker/Dockerfile b/test-playbooks/registry/docker/Dockerfile index 609bf905a..178d518e8 100644 --- a/test-playbooks/registry/docker/Dockerfile +++ b/test-playbooks/registry/docker/Dockerfile @@ -1,2 +1,2 @@ -FROM debian:testing +FROM docker.io/library/debian:testing CMD echo "Zuul container test"; sleep infinity diff --git a/test-playbooks/registry/roles/run-test-intermediate-registry/tasks/main.yaml b/test-playbooks/registry/roles/run-test-intermediate-registry/tasks/main.yaml index ef07a9158..bfba17653 100644 --- a/test-playbooks/registry/roles/run-test-intermediate-registry/tasks/main.yaml +++ b/test-playbooks/registry/roles/run-test-intermediate-registry/tasks/main.yaml @@ -1,4 +1,5 @@ - name: Ensure registry volume directories exists + become: true file: state: directory path: "/var/registry/{{ item }}" @@ -6,6 +7,7 @@ - certs - auth - name: Install python packages + become: true package: name: - python3-docker @@ -13,6 +15,7 @@ - python3-bcrypt state: present - name: Write htpassword file + become: true htpasswd: create: true crypt_scheme: bcrypt @@ -20,27 +23,26 @@ name: "{{ intermediate_registry.username }}" password: "{{ intermediate_registry.password }}" - name: Write TLS private key + become: true copy: content: "{{ intermediate_registry_tls_key }}" dest: /var/registry/certs/domain.key - name: Write TLS certificate + become: true copy: content: "{{ intermediate_registry_tls_cert }}{{ intermediate_registry_tls_chain | default('') }}" dest: /var/registry/certs/domain.crt - name: Start intermediate docker registry - docker_container: - name: intermediate_registry - image: registry:2 - state: started - restart_policy: always - ports: - - "5000:5000" - env: - REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt - REGISTRY_HTTP_TLS_KEY: /certs/domain.key - REGISTRY_AUTH: htpasswd - REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd - REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm - volumes: - - "/var/registry/certs:/certs" - - "/var/registry/auth:/auth" + command: >- + {{ container_command }} run -d + --name="intermediate_registry" + --restart=always + --network=host + --env REGISTRY_HTTP_TLS_CERTIFICATE="/certs/domain.crt" + --env REGISTRY_HTTP_TLS_KEY="/certs/domain.key" + --env REGISTRY_AUTH="htpasswd" + --env REGISTRY_AUTH_HTPASSWD_PATH="/auth/htpasswd" + --env REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" + --volume="/var/registry/certs:/certs" + --volume="/var/registry/auth:/auth" + docker.io/library/registry:2 diff --git a/test-playbooks/registry/test-registry-post.yaml b/test-playbooks/registry/test-registry-post.yaml index 108993925..2fda35820 100644 --- a/test-playbooks/registry/test-registry-post.yaml +++ b/test-playbooks/registry/test-registry-post.yaml @@ -1,24 +1,24 @@ - hosts: all tasks: - name: List containers - command: "docker ps -a --format '{{ '{{ .Names }}' }}'" + command: "{{ container_command }} ps -a --format '{{ '{{ .Names }}' }}'" register: docker_containers ignore_errors: true - name: Create container log dir file: - path: "{{ ansible_user_dir }}/zuul-output/logs/docker" + path: "{{ ansible_user_dir }}/zuul-output/logs/{{ container_command }}" state: directory - name: Save container logs loop: "{{ docker_containers.stdout_lines | default([]) }}" - shell: "docker logs {{ item }} &> {{ ansible_user_dir }}/zuul-output/logs/docker/{{ item }}.txt" + shell: "{{ container_command }} logs {{ item }} &> {{ ansible_user_dir }}/zuul-output/logs/{{ container_command }}/{{ item }}.txt" args: executable: /bin/bash ignore_errors: true - name: Open container logs permissions file: - dest: "{{ ansible_user_dir }}/zuul-output/logs/docker" + dest: "{{ ansible_user_dir }}/zuul-output/logs/{{ container_command }}" mode: u=rwX,g=rX,o=rX recurse: yes diff --git a/test-playbooks/registry/test-registry-pre.yaml b/test-playbooks/registry/test-registry-pre.yaml index ad2e4df4e..1672f85a0 100644 --- a/test-playbooks/registry/test-registry-pre.yaml +++ b/test-playbooks/registry/test-registry-pre.yaml @@ -4,10 +4,11 @@ # though that obviously happens in configuration management rather # than a job). - hosts: builder:intermediate-registry - name: Set up docker and iptables configuration for registry hosts - roles: - - install-docker + name: "Set up container system and iptables configuration for registry hosts" tasks: + - name: Install container system + include_role: + name: "install-{{ container_command }}" - name: Open the IPv4 port for the buildset registry become: true iptables: diff --git a/test-playbooks/registry/test-registry.yaml b/test-playbooks/registry/test-registry.yaml index c85ae8ea5..408629c61 100644 --- a/test-playbooks/registry/test-registry.yaml +++ b/test-playbooks/registry/test-registry.yaml @@ -13,8 +13,6 @@ - name: Run the intermediate registry include_role: name: run-test-intermediate-registry - apply: - become: true - name: Install the intermediate registry cert include_role: name: install-registry-cert @@ -25,17 +23,18 @@ - name: Set up user credentials for the intermediate registry include_role: name: intermediate-registry-user-config - - name: Build a docker image for the previous build + - name: "Build a container image for the previous build" include_role: - name: build-docker-image + name: "build-{{ (container_command == 'docker') | ternary('docker', 'container') }}-image" vars: docker_images: - context: test-playbooks/registry/docker repository: "{{ previous_build_repository }}" + container_images: "{{ docker_images }}" - name: Tag the previous build - command: "docker tag {{ previous_build_repository }}:latest localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest" + command: "{{ container_command }} tag {{ previous_build_repository }}:latest localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest" - name: Push the previous build to the intermediate registry - command: "docker push localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest" + command: "{{ container_command }} push localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest" # This is also essentially pre-configuration for the real test of the # roles. This sets up a fake executor (since we can't run the @@ -112,16 +111,16 @@ - name: Include previous build vars include_vars: vars/previous-build.yaml - name: Pull the previous build from buildset registry to the builder host - command: "docker pull {{ previous_build_repository }}:latest" - - name: Show local docker images for debugging - command: "docker image ls" + command: "{{ container_command }} pull {{ previous_build_repository }}:latest" + - name: "Show local container images for debugging" + command: "{{ container_command }} image ls" - name: Verify previously built image is in buildset registry - command: "docker image inspect {{ previous_build_repository }}:latest" + command: "{{ container_command }} image inspect {{ previous_build_repository }}:latest" # Back to straightforward use of the roles under test. - hosts: builder - name: Test building a docker image + name: Test building a container image tasks: - name: Create fake sibling projects @@ -133,7 +132,7 @@ - name: Build docker image include_role: - name: build-docker-image + name: "build-{{ (container_command == 'docker') | ternary('docker', 'container') }}-image" vars: docker_images: - context: test-playbooks/registry/docker @@ -141,6 +140,7 @@ siblings: - opendev.org/fake-sibling-1 - opendev.org/fake-sibling-2 + container_images: "{{ docker_images }}" - hosts: executor name: Test pushing to the intermediate registry @@ -154,6 +154,7 @@ docker_images: - context: playbooks/registry/docker repository: downstream/image + container_images: "{{ docker_images }}" # And finally an external verification step. diff --git a/test-playbooks/registry/vars/intermediate-registry-auth.yaml b/test-playbooks/registry/vars/intermediate-registry-auth.yaml index d75651af2..34f2e78fc 100644 --- a/test-playbooks/registry/vars/intermediate-registry-auth.yaml +++ b/test-playbooks/registry/vars/intermediate-registry-auth.yaml @@ -3,56 +3,59 @@ intermediate_registry: port: 5000 username: "zuul" password: dQI83awO8Akuw0WU +# openssl req -x509 -newkey rsa:2048 -keyout cert.key -out cert.pem -days 365 -nodes -subj '/C=US/ST=California/L=Oakland/O=Company Name/OU=Org/CN=zuul-jobs.intermediate-registry' -addext 'subjectAltName = DNS:zuul-jobs.intermediate-registry,DNS:localhost,IP:127.0.0.1' intermediate_registry_tls_key: | -----BEGIN PRIVATE KEY----- - MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDYkpjfIz7bziCa - mFrWqQ84ldeAs2jvSKs2JG0RhYNNLokr2AU/5TUvqtAisyyd5AX5dBHQ7u/7Vgmj - towt7loFfAG/2/rpdSGi2Njx11roBUoDsjwdE9w3aNnrDvOCyJcepx5TWYS86+vZ - IqodvdnuoWTk9VuolWfHsCgPRQV4uwMbIC5kbv2o4FORsOEzbuRfCEX9UTcAMEGg - K/m/kM/valkrYeBbLILsOcivg4Jh0m+PFC7NTcQFo+uwpZzZvlNtVbmQ3LqkHDAE - KDK94uBcQtdYjvvl6UZ+pNo+puD9iakYtcpQFuU8rpavMLE87+SuPVgi2Rk6QtTz - OAP2mDMJAgMBAAECggEBANM9MfS7WQ1mIXEI19l2roz/wmIbHGgAllbJ8sRbWLWI - hW0JWB15gIYM8tRVtVgP2C/3IYWL+PFKez5+yH3odU/SI5ayhyr8/6DqJ7jD2Dxl - JEs0puOpwmsdTyixvZy78IKKeM7NiuYGq1VwNUOrMQ1LyLB2DUAC8mXYkUpLhUm6 - O4wVaGie7XwMOJazRs66ceU9k7Nuv3b57yc3PN2bzTqYUVjmJ1XeuAiBJaAeHts6 - NfG1+vO9xLXIRTRWvDGKByNsYJJLLPOXZkQZZFYYe8TTduxyCmZgShY6sZmmnWua - cAdBL6b/5B3PZ2SkhdLHklaZmH8PTeAoqI2RDz/8eIECgYEA8gofU8LrK1Xjgrig - ItQxYxqZCrggm9lMMcaADc7u3nff68NyImZ5bSXhvZCu74cAIMx12HbU1UvSCsQ4 - /cncHrlBOzG529878+iWgiUrJ29GsQiHGj+qHA4qGBSP0Qan7ISunskj4GezTeHd - /A3oTn5rLuld9V++647O35lXArkCgYEA5RBwV5nle49UT38hNqL/K+TUX5oZJXB8 - Xl9FT1L799toHUPEWEkSpf7Suf1hDwv6+tsIPO6tN7YirxK390JRxPaT948J8n1d - TkurGDs1uwLQdUWgXIwvQ8ms+8rYvTU7vg2hI7/BZhH09LmGCiYSwnem0QYXjGnc - kk56VeExytECgYBmBDw2Ctcied4eEAF3DKcQVXqiGP+tkMZbyIXazBjEbhRUhBmM - RFLz3V6rjtsdHHLCYEtfhJ6qlH2gihpXZgjAbmb/MzNaaFoVsTgW/OGWioFqRuTi - /GiP0KyPX8NKYBrRRw9u3+qeQDdEIWp2Pcpno0M8D6LJtKR9FsE9X51cCQKBgQCs - 8u5/ldjoo91acHhZUlQrhgi7bhQSao3ciz4/mD5ac7R2dBYpOnL0FiRw/VhtDfSf - twTPTL5IVCJ34UA5Vj964VnzDnLKPdFXLlauYvY8jvFpufpMJiQBoKIVMqDWqvzC - kHPcFAon0OMMa49C1mBPqBuxslHRWJSLeulvMipwIQKBgDFzDTH49cmKP8YQmCuT - vC5PJJ+hutbf/dOVJuOZ5KlKwnRkbMwoamYKrkjgmWMBgtzyz12/a46lZ58ul4xW - 1fKw/nx8uQcbnKnigyjsAUzI9FgBR4d10cYdxPlfYVmj4TAUA3os5Gu6VKySy6SV - xuHEIA6nFsXLXGBu25vI5tEv + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC46dQ/20Zsjel3 + 7D2F+9+9WqslsIWfiP+zsqsz+/K5ngkdYyBEjYCBAUoLmGY/6/HkvZRBYE79R2FK + gjKIIo/bElKI4H6jq2nke5No+nroPXRlFh7wu0yP+U3P6pSaaDKJuJ5mMXxcboZE + z8TyjRs1+RaFo+walNNfcA/ZOg8JRWV5Fe4JBw7GjgR6GH265h6zppakg801rFXV + zbf9sCRz7ic3vpNywGgz8klwqQVR3H1GlZ5zvlDr6/lPin+YwlXRd1wgRfFIima9 + K+IU+nymnBExInO5AyomolpN+bn4bnrx6q2l/FKWvEssVKZPPjT8v7lbzBiXxvb2 + AKYmNjL5AgMBAAECggEARnqBNpGKBwgT62x0iqPUxGRRhT0BwSvDYieAT4EBI7RT + fwrwGpDgYMswALlmh4iTmv6TClP951WUhISZY//gWrxiDt+aBSHpa3eaWNHXlLsP + qRPEWTbaWKnJ+axMVYnPcWSXoxXLc6OAs6uJQnV74Jd++RLgg8Ujx2V79OzHHF3c + AwwH1NHHWXPaxrItB+nLiV0Q9eQh5nibW12IFmyknYaAeYmanzVwDplBubtsS1T3 + X1kjUUaG58qCT/XyyM4YvagaDyy75T6J4XYnRsV7b/FKwc8FuF0vgbI+yY3B8nrz + h4z14QLNvNmUiGbkJRpDzKQb/BeWvT/GPXzvD2ObHQKBgQDfrxIiO4bWa+IjJNSn + FySIBBoKzh70LC8ElQ8AkrzjeucgtPQIY0zJcdT9nhAcS4mYqw4tp1snhm9mbyuB + huF83MwNFJ/O46IrWWpji0fXKQGgmPNex7yDGHYaVAE/nbzajGXXlGB1+w3tHCvM + 1fxKxtLURHNtjfDBZUqDcz+PhwKBgQDToNXiMo5fKc3PninxaHrjnDQmDxk5t1y6 + hEOTJf12BJDw4syh3YzxFcAH0CA47OTy7o7dMZVt5RZ53XKR5fbYfKD7KGX/claw + sfutpskuVgFj4pnwShylFB6dQueFiHcWHf/DjMJmKyNM1dxzZcfqnH6P7FZaiYoW + eoLdy1vJfwKBgQCtTL845HOgNq9aWROkbQqxkrP2gSF8Pasj2rRn1kgf2j2tmmSj + BwQb4mSJJegHdAKj1ItEla/K3J38d872KGEU0yAIVl1F9hjTixAhFWzQZwXKvhV3 + 7jnAO7hsx368IeKKVFInBt8BKUPt23CX34X7DTWUnX/sdhb8TxS+6RBqiwKBgQCF + 3GAtuejQTPL/9n11U68XtcBOqpI8Lb2bxPmxZABU3EKJ/AuP/0GdZTKYPo+DMmUH + PNplE23/mz6CSw6jNqDTAtIYy87oq3wmPA6EItFyW7h5Y+YXVemUiYtr0dv8XPtm + pAcZvDliwrqLaWMOIz03K1Hq24Urs4ADA+8vN+iRJQKBgQCtNXP4sTXjRhO+leiM + 3YXc/qBof9TNlMcKS0g6C0s/+KFZ1CG3DbN0CizDCxqYWedOB7CKWklmfg7ENEhL + NI6NTo10Q376UZE1+TmaWjGdIdvaxDnUeabSeqUXQxinWOS1pGzMgwXULw1BMLCq + Zy9ZnBgOFe2NJl4U7EN8Xdmfrw== -----END PRIVATE KEY----- intermediate_registry_tls_cert: | -----BEGIN CERTIFICATE----- - MIIDtDCCApygAwIBAgIJANpxowfzYw4vMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV - BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX - aWRnaXRzIFB0eSBMdGQxKDAmBgNVBAMMH3p1dWwtam9icy5pbnRlcm1lZGlhdGUt - cmVnaXN0cnkwHhcNMTkwNTMwMjAwOTQxWhcNMzkwNTI1MjAwOTQxWjBvMQswCQYD - VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg - V2lkZ2l0cyBQdHkgTHRkMSgwJgYDVQQDDB96dXVsLWpvYnMuaW50ZXJtZWRpYXRl - LXJlZ2lzdHJ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2JKY3yM+ - 284gmpha1qkPOJXXgLNo70irNiRtEYWDTS6JK9gFP+U1L6rQIrMsneQF+XQR0O7v - +1YJo7aMLe5aBXwBv9v66XUhotjY8dda6AVKA7I8HRPcN2jZ6w7zgsiXHqceU1mE - vOvr2SKqHb3Z7qFk5PVbqJVnx7AoD0UFeLsDGyAuZG79qOBTkbDhM27kXwhF/VE3 - ADBBoCv5v5DP72pZK2HgWyyC7DnIr4OCYdJvjxQuzU3EBaPrsKWc2b5TbVW5kNy6 - pBwwBCgyveLgXELXWI775elGfqTaPqbg/YmpGLXKUBblPK6WrzCxPO/krj1YItkZ - OkLU8zgD9pgzCQIDAQABo1MwUTAdBgNVHQ4EFgQU00qH9bMUPRacZwgvBgczgR8Z - 424wHwYDVR0jBBgwFoAU00qH9bMUPRacZwgvBgczgR8Z424wDwYDVR0TAQH/BAUw - AwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHEX2Tw19w5okaJ+6gHMFjA338ffwU9n5 - 2piBMypbYr50yyPyUaTmz4SIBsTLkIWu00a0pdo9pqZDnv1KwxtJtP4o4qQXhMd4 - Ve3FFF+6AMaOy5y5+hRkE8iHOOik/rNPFqkVDatNGuOMSNYO/jUFXc+C6Ol7gM/J - edyWaafjQbvdKapKPbdP4Y69R8OlRTNK1lJMIGJrsCdaeaK4EpLpbJPHnagIMdmQ - HDsTf978weRrjJ4JEODTabsKVHKyx0GBwe8CmR0NzpfO2ORCyNUO1rLK2rzh5YTQ - qKGyfY0DAyiSHxKaUeGiskc4/WMxaYv2FzD63Xvzmot9atSwCMjN1A== + MIIEKDCCAxCgAwIBAgIUWVQQugUNh53VhvVfb3S49zw3GvgwDQYJKoZIhvcNAQEL + BQAwgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRAwDgYDVQQH + DAdPYWtsYW5kMRUwEwYDVQQKDAxDb21wYW55IE5hbWUxDDAKBgNVBAsMA09yZzEo + MCYGA1UEAwwfenV1bC1qb2JzLmludGVybWVkaWF0ZS1yZWdpc3RyeTAeFw0xOTEx + MjExODQ5MjhaFw0yMDExMjAxODQ5MjhaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UE + CAwKQ2FsaWZvcm5pYTEQMA4GA1UEBwwHT2FrbGFuZDEVMBMGA1UECgwMQ29tcGFu + eSBOYW1lMQwwCgYDVQQLDANPcmcxKDAmBgNVBAMMH3p1dWwtam9icy5pbnRlcm1l + ZGlhdGUtcmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4 + 6dQ/20Zsjel37D2F+9+9WqslsIWfiP+zsqsz+/K5ngkdYyBEjYCBAUoLmGY/6/Hk + vZRBYE79R2FKgjKIIo/bElKI4H6jq2nke5No+nroPXRlFh7wu0yP+U3P6pSaaDKJ + uJ5mMXxcboZEz8TyjRs1+RaFo+walNNfcA/ZOg8JRWV5Fe4JBw7GjgR6GH265h6z + ppakg801rFXVzbf9sCRz7ic3vpNywGgz8klwqQVR3H1GlZ5zvlDr6/lPin+YwlXR + d1wgRfFIima9K+IU+nymnBExInO5AyomolpN+bn4bnrx6q2l/FKWvEssVKZPPjT8 + v7lbzBiXxvb2AKYmNjL5AgMBAAGjgZEwgY4wHQYDVR0OBBYEFCXcx6YJW0L1JMSA + rQDbbc9LyQN3MB8GA1UdIwQYMBaAFCXcx6YJW0L1JMSArQDbbc9LyQN3MA8GA1Ud + EwEB/wQFMAMBAf8wOwYDVR0RBDQwMoIfenV1bC1qb2JzLmludGVybWVkaWF0ZS1y + ZWdpc3RyeYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBMQR4u + bcdeS6ML/X/BLh3HBjWf0DYobU5GVBoMC9c+L9Fxh82ck/CAK3Oeozr9iHFu5YLj + OsJWlAbRl0Getz7HOnVH9rMyL/ac9c99CKixjY1Vsf49x1itpOQULoZ+zJixFROk + 07KhnkaqsYs4SIfDSoa18UmBROEVT2y7yT0uYAwyxwMtZVJWUg7L9OuxPE/tMB0/ + NyNwMzhdKBL0V54rXH0dxOQ0yE5mGkaOOgKS5x43r78xRRNZ3JM5iRj3S0P75Nbg + YDvkkOd0Pf+5UPBJyc4wh5TA+vOrU63lKa6RwIWIbA+xXJn5WJQFoQOjO2dCcEka + 8p2tutWB2+G+3F12 -----END CERTIFICATE----- -#intermediate_registry_tls_chain diff --git a/test-playbooks/registry/vars/previous-build.yaml b/test-playbooks/registry/vars/previous-build.yaml index a3ca24821..ad1b74e60 100644 --- a/test-playbooks/registry/vars/previous-build.yaml +++ b/test-playbooks/registry/vars/previous-build.yaml @@ -2,7 +2,7 @@ # buildset via provides/requires. This build should be copied from # the intermediate registry to the buildset registry. -previous_build_repository: upstream/image +previous_build_repository: docker.io/upstream/image previous_build_uuid: 48a84fe22a744cb5b0310f396358d912 previous_build_zuul: artifacts: diff --git a/zuul-tests.d/container-roles-jobs.yaml b/zuul-tests.d/container-roles-jobs.yaml index ac888b855..46a291619 100644 --- a/zuul-tests.d/container-roles-jobs.yaml +++ b/zuul-tests.d/container-roles-jobs.yaml @@ -1,5 +1,5 @@ - job: - name: zuul-jobs-test-registry + name: zuul-jobs-test-registry-docker description: | Test the intermediate registry roles. @@ -17,6 +17,38 @@ pre-run: test-playbooks/registry/test-registry-pre.yaml run: test-playbooks/registry/test-registry.yaml post-run: test-playbooks/registry/test-registry-post.yaml + vars: + container_command: docker + nodeset: + nodes: + - name: intermediate-registry + label: ubuntu-bionic + - name: executor + label: ubuntu-bionic + - name: builder + label: ubuntu-bionic + +- job: + name: zuul-jobs-test-registry-podman + description: | + Test the intermediate registry roles. + + This job tests changes to the intermediate registry roles using + podman rather than docker. It is not meant to be used directly + but rather run on changes to roles in the zuul-jobs repo. + files: + - roles/pull-from-intermediate-registry/.* + - roles/push-to-intermediate-registry/.* + - roles/install-podman/.* + - roles/build-container-image/.* + - roles/run-buildset-registry/.* + - roles/use-buildset-registry/.* + - test-playbooks/registry/.* + pre-run: test-playbooks/registry/test-registry-pre.yaml + run: test-playbooks/registry/test-registry.yaml + post-run: test-playbooks/registry/test-registry-post.yaml + vars: + container_command: podman nodeset: nodes: - name: intermediate-registry @@ -52,6 +84,8 @@ pre-run: test-playbooks/registry/buildset-registry-pre.yaml run: test-playbooks/registry/buildset-registry.yaml post-run: test-playbooks/registry/test-registry-post.yaml + vars: + container_command: docker - job: name: zuul-jobs-test-registry-buildset-registry-k8s-docker @@ -74,6 +108,8 @@ post-run: - test-playbooks/registry/buildset-registry-k8s-docker-post.yaml - test-playbooks/registry/test-registry-post.yaml + vars: + container_command: docker - job: name: zuul-jobs-test-install-kubernetes-docker @@ -126,7 +162,8 @@ - project: check: jobs: &id001 - - zuul-jobs-test-registry + - zuul-jobs-test-registry-docker + - zuul-jobs-test-registry-podman - zuul-jobs-test-registry-buildset-registry - zuul-jobs-test-registry-buildset-registry-k8s-docker - zuul-jobs-test-install-kubernetes-docker