Only alias registries on build nodes

We only need to alias registries on the build nodes when running docker. We cannot alias them in /etc/hosts in roles that are expected to run on localhost beacuse /etc/hosts is bindmounted read only on localhost. This assumes that skopeo handles ipv6 properly (which has not been tested). If skopeo does not handle ipv6 properly then we'll need additional fixing. Change-Id: I40e5b1bac5aeaf2d42aa05a72b9ced72b7d222c0
2019-04-09 10:10:37 -07:00 · 2019-04-09 10:10:37 -07:00 · 05f20a5396
commit 05f20a5396
parent 3a29935f32
5 changed files with 51 additions and 10 deletions
--- a/roles/build-docker-image/tasks/push.yaml
+++ b/roles/build-docker-image/tasks/push.yaml
@ -1,12 +1,32 @@
+# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
+# so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
+- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
+  become: yes
+  lineinfile:
+    path: /etc/hosts
+    state: present
+    regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset_registry$"
+    line: "{{ buildset_registry.host }}\tzuul-jobs.buildset_registry"
+    insertafter: EOF
+  when: buildset_registry.host | ipaddr
+- name: Set buildset_registry alias variable when using ip
+  set_fact:
+    buildset_registry_alias: zuul-jobs.buildset_registry
+  when: buildset_registry.host | ipaddr
+- name: Set buildset_registry alias variable when using name
+  set_fact:
+    buildset_registry_alias: "{{ buildset_registry.host }}"
+  when: not ( buildset_registry.host | ipaddr )
+
 - name: Tag image for buildset registry
  command: >-
-    docker tag {{ image.repository }}:{{ image_tag }} {{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
+    docker tag {{ image.repository }}:{{ image_tag }} {{ buildset_registry_alias }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
  loop: "{{ image.tags | default(['latest']) }}"
  loop_control:
    loop_var: image_tag
 - name: Push tag to buildset registry
  command: >-
-    docker push {{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
+    docker push {{ buildset_registry_alias }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
  loop: "{{ image.tags | default(['latest']) }}"
  loop_control:
    loop_var: image_tag
--- a/roles/pull-from-intermediate-registry/tasks/main.yaml
+++ b/roles/pull-from-intermediate-registry/tasks/main.yaml
@ -3,6 +3,7 @@
  when: buildset_registry is not defined
  set_fact:
    buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
+
 - name: Ensure registry cert directory exists
  file:
    path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/"
@ -12,7 +13,6 @@
    content: "{{ buildset_registry.cert }}"
    dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/ca.crt"

-
 # Update user config for intermediate and buildset registries
 - name: Ensure docker user directory exists
  file:
--- a/roles/push-to-intermediate-registry/tasks/push.yaml
+++ b/roles/push-to-intermediate-registry/tasks/push.yaml
@ -3,6 +3,7 @@
  when: buildset_registry is not defined
  set_fact:
    buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
+
 - name: Ensure registry cert directory exists
  file:
    path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/"
--- a/roles/use-buildset-registry/tasks/main.yaml
+++ b/roles/use-buildset-registry/tasks/main.yaml
@ -1,3 +1,23 @@
+# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
+# so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
+- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
+  become: yes
+  lineinfile:
+    path: /etc/hosts
+    state: present
+    regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset_registry$"
+    line: "{{ buildset_registry.host }}\tzuul-jobs.buildset_registry"
+    insertafter: EOF
+  when: buildset_registry.host | ipaddr
+- name: Set buildset_registry alias variable when using ip
+  set_fact:
+    buildset_registry_alias: zuul-jobs.buildset_registry
+  when: buildset_registry.host | ipaddr
+- name: Set buildset_registry alias variable when using name
+  set_fact:
+    buildset_registry_alias: "{{ buildset_registry.host }}"
+  when: not ( buildset_registry.host | ipaddr )
+
 - name: Ensure docker directory exists
  become: yes
  file:
@ -6,23 +26,23 @@
 - name: Ensure buildset registry cert directory exists
  become: true
  file:
-    path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/"
+    path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/"
    state: directory
 - name: Ensure proxy registry cert directory exists
  become: true
  file:
-    path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port }}/"
+    path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/"
    state: directory
 - name: Write buildset registry TLS certificate
  become: true
  copy:
    content: "{{ buildset_registry.cert }}"
-    dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/ca.crt"
+    dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt"
 - name: Write proxy registry TLS certificate
  become: true
  copy:
    content: "{{ buildset_registry.cert }}"
-    dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port }}/ca.crt"
+    dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/ca.crt"

 # Update daemon config
 - name: Check if docker daemon configuration exists
@ -46,7 +66,7 @@
 - name: Add registry to docker daemon configuration
  vars:
    new_config:
-      registry-mirrors: "['https://{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port}}/', 'https://{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port}}/']"
+      registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port}}/', 'https://{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port}}/']"
  set_fact:
    docker_config: "{{ docker_config | combine(new_config) }}"
 - name: Save docker daemon configuration
--- a/roles/use-buildset-registry/tasks/user-config.yaml
+++ b/roles/use-buildset-registry/tasks/user-config.yaml
@ -29,9 +29,9 @@
        {
          "https://index.docker.io/v1/":
            {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
-          "{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}":
+          "{{ buildset_registry_alias }}:{{ buildset_registry.port }}":
            {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
-          "{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port }}":
+          "{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}":
            {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}
        }
  set_fact: