Browse Source

run-buildset-registry: run a dual registry

The docker registry daemon can either act as a private registry,
or as a pull-through proxy, but not both.  Yet we need to be able
to serve private (speculative buildset) images as well as plain
upstream images.  Our registry is used as a mirror and requires
authentication, therefore docker's normal behavior of falling back
on docker.io won't work because it will attempt to use our
credentials.

However, the registry daemon stores all of its state in the
filesystem, therefore we can run two instances of the registry
service, both pointing at the same data store.  The first acts
as a pull-through proxy and will serve whatever files are already
in the local storage, or will fetch them from docker.io.  The second
can be used to upload images into the local storage.

To make a long story short, whenever we push into the buildset
registry, we will use the second endpoint.  Whenever the docker
daemon pulls from the buildset registry, it will use the first.

Change-Id: I296029068b5ef28ee56543741fe8c8deeefb5dfa
changes/14/638514/1
James E. Blair 3 months ago
parent
commit
e7a0f0da8b
2 changed files with 34 additions and 3 deletions
  1. 12
    1
      roles/run-buildset-registry/README.rst
  2. 22
    2
      roles/run-buildset-registry/tasks/main.yaml

+ 12
- 1
roles/run-buildset-registry/README.rst View File

@@ -2,7 +2,10 @@ Runs a docker registry for the use of this buildset.
2 2
 
3 3
 This may be used for a single job running on a single node, or it may
4 4
 be used at the root of a job graph so that multiple jobs running for a
5
-single change can share the registry.
5
+single change can share the registry.  Two registry endpoints are
6
+provided -- one is a read-only endpoint which acts as a pull-through
7
+proxy and serves upstream images as well as those which are pushed to
8
+the registry.  The second is intended only for pushing images.
6 9
 
7 10
 **Role Variables**
8 11
 
@@ -25,6 +28,14 @@ single change can share the registry.
25 28
 
26 29
       The port on which the registry is listening.
27 30
 
31
+   .. zuul:rolevar:: push_host
32
+
33
+      The host (IP address) to use when pushing images to the registry.
34
+
35
+   .. zuul:rolevar:: push_port
36
+
37
+      The port to use when pushing images to the registry.
38
+
28 39
    .. zuul:rolevar:: username
29 40
 
30 41
       The username used to access the registry via HTTP basic auth.

+ 22
- 2
roles/run-buildset-registry/tasks/main.yaml View File

@@ -59,9 +59,9 @@
59 59
 - name: Decode TLS certificate
60 60
   set_fact:
61 61
     certificate: "{{ certificate.content | b64decode }}"
62
-- name: Start a docker registry
62
+- name: Start a docker proxy
63 63
   docker_container:
64
-    name: buildset_registry
64
+    name: buildset_proxy
65 65
     image: registry:2
66 66
     state: started
67 67
     restart_policy: always
@@ -80,11 +80,31 @@
80 80
       - "{{ buildset_registry_root}}/data:/var/lib/registry"
81 81
       - "{{ buildset_registry_root}}/certs:/certs"
82 82
       - "{{ buildset_registry_root}}/auth:/auth"
83
+- name: Start a docker registry
84
+  docker_container:
85
+    name: buildset_registry
86
+    image: registry:2
87
+    state: started
88
+    restart_policy: always
89
+    ports:
90
+     - "5001:5000"
91
+    env:
92
+      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
93
+      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
94
+      REGISTRY_AUTH: htpasswd
95
+      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
96
+      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
97
+    volumes:
98
+      - "{{ buildset_registry_root}}/data:/var/lib/registry"
99
+      - "{{ buildset_registry_root}}/certs:/certs"
100
+      - "{{ buildset_registry_root}}/auth:/auth"
83 101
 - name: Set registry information fact
84 102
   set_fact:
85 103
     buildset_registry:
86 104
       host: "{{ ansible_host }}"
87 105
       port: 5000
106
+      push_host: "{{ ansible_host }}"
107
+      push_port: 5001
88 108
       username: zuul
89 109
       password: "{{ registry_password }}"
90 110
       cert: "{{ certificate }}"

Loading…
Cancel
Save