# This can be removed if we add this functionality to Zuul directly - name: Load information from zuul_return when: buildset_registry is not defined set_fact: buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}" no_log: true # Start a socat tunnel to the buildset registry to work around the # fact that docker does not correctly parse ipv6 addresses. The socat # process will terminate when the playbook ends. - name: Start socat to work around https://github.com/moby/moby/issues/39033 shell: | set -o pipefail setsid socat -d -d TCP-LISTEN:0,fork TCP:{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }} 2>&1 | grep --line-buffered 'listening on' > {{ zuul.executor.work_root }}/socat_port & args: executable: /bin/bash # Use slurp instead of file lookup to make this testable on a fake # executor node. - name: Read socat port slurp: src: "{{ zuul.executor.work_root }}/socat_port" register: read_socat_port - name: Set socat port set_fact: socat_port: "{{ read_socat_port['content'] | b64decode | regex_replace('.*?0\\.0\\.0\\.0:(\\d+)', '\\1') | regex_replace('\n', '') }}" # Set up cert files for the buildset registry - name: Ensure registry cert directory exists file: path: "/etc/docker/certs.d/127.0.0.1:{{ socat_port }}/" state: directory mode: 0755 - name: Write registry TLS certificate copy: content: "{{ buildset_registry.cert }}" dest: "/etc/docker/certs.d/127.0.0.1:{{ socat_port }}/ca.crt" mode: 0644 # Update user config for intermediate and buildset registries - name: Ensure docker user directory exists file: state: directory path: "~/.docker" mode: 0700 - name: Check if docker user configuration exists stat: path: "~/.docker/config.json" register: docker_config_stat - name: Load docker user configuration when: docker_config_stat.stat.exists slurp: path: "~/.docker/config.json" register: docker_config no_log: true - name: Parse docker user configuration when: docker_config_stat.stat.exists set_fact: docker_config: "{{ docker_config.content | b64decode | from_json }}" no_log: true - name: Set default docker user configuration when: not docker_config_stat.stat.exists set_fact: docker_config: auths: {} - name: Add registry to docker user configuration no_log: true vars: new_config: auths: | { "{{ intermediate_registry.host | ipwrap }}:{{ intermediate_registry.port }}": {"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"}, "127.0.0.1:{{ socat_port }}": {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}, } set_fact: new_docker_config: "{{ docker_config | combine(new_config, recursive=True) }}" - name: Save docker user configuration copy: content: "{{ new_docker_config | to_nice_json }}" dest: "~/.docker/config.json" mode: 0600 no_log: true # Pull the images # To support usage with both docker and podman, the buildset registry # keeps "docker.io" entries un-namespaced, and any other namespaces # are namespaced. Therefore, if we see docker.io in the repository # name, we strip it here. - name: Pull artifacts from intermediate registry block: - name: Pull artifacts from intermediate registry command: >- skopeo --insecure-policy copy --all {{ zj_zuul_artifact.url }} docker://127.0.0.1:{{ socat_port }}/{{ zj_zuul_artifact.metadata.repository | regex_replace('^docker\.io/(.*)', '\1') }}:{{ zj_zuul_artifact.metadata.tag }} retries: 3 register: result until: result is success when: "'metadata' in zj_zuul_artifact and zj_zuul_artifact.metadata.type | default('') == 'container_image'" loop: "{{ zuul_artifacts | default([]) }}" loop_control: loop_var: zj_zuul_artifact always: - name: Remove docker user config command: "shred ~/.docker/config.json" - name: Replace docker user configuration copy: content: "{{ docker_config | to_nice_json }}" dest: "~/.docker/config.json" mode: 0600 no_log: true