From 05f20a5396b8a1f463129b99bbe23b8b7862afdd Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Tue, 9 Apr 2019 10:10:37 -0700 Subject: [PATCH] Only alias registries on build nodes We only need to alias registries on the build nodes when running docker. We cannot alias them in /etc/hosts in roles that are expected to run on localhost beacuse /etc/hosts is bindmounted read only on localhost. This assumes that skopeo handles ipv6 properly (which has not been tested). If skopeo does not handle ipv6 properly then we'll need additional fixing. Change-Id: I40e5b1bac5aeaf2d42aa05a72b9ced72b7d222c0 --- roles/build-docker-image/tasks/push.yaml | 24 +++++++++++++-- .../tasks/main.yaml | 2 +- .../tasks/push.yaml | 1 + roles/use-buildset-registry/tasks/main.yaml | 30 +++++++++++++++---- .../tasks/user-config.yaml | 4 +-- 5 files changed, 51 insertions(+), 10 deletions(-) diff --git a/roles/build-docker-image/tasks/push.yaml b/roles/build-docker-image/tasks/push.yaml index 582849329..e37d9ea80 100644 --- a/roles/build-docker-image/tasks/push.yaml +++ b/roles/build-docker-image/tasks/push.yaml @@ -1,12 +1,32 @@ +# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag +# so we set up /etc/hosts with a registry alias name to support ipv6 and 4. +- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses + become: yes + lineinfile: + path: /etc/hosts + state: present + regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset_registry$" + line: "{{ buildset_registry.host }}\tzuul-jobs.buildset_registry" + insertafter: EOF + when: buildset_registry.host | ipaddr +- name: Set buildset_registry alias variable when using ip + set_fact: + buildset_registry_alias: zuul-jobs.buildset_registry + when: buildset_registry.host | ipaddr +- name: Set buildset_registry alias variable when using name + set_fact: + buildset_registry_alias: "{{ buildset_registry.host }}" + when: not ( buildset_registry.host | ipaddr ) + - name: Tag image for buildset registry command: >- - docker tag {{ image.repository }}:{{ image_tag }} {{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }} + docker tag {{ image.repository }}:{{ image_tag }} {{ buildset_registry_alias }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }} loop: "{{ image.tags | default(['latest']) }}" loop_control: loop_var: image_tag - name: Push tag to buildset registry command: >- - docker push {{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }} + docker push {{ buildset_registry_alias }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }} loop: "{{ image.tags | default(['latest']) }}" loop_control: loop_var: image_tag diff --git a/roles/pull-from-intermediate-registry/tasks/main.yaml b/roles/pull-from-intermediate-registry/tasks/main.yaml index 448f01cf7..9a2e49863 100644 --- a/roles/pull-from-intermediate-registry/tasks/main.yaml +++ b/roles/pull-from-intermediate-registry/tasks/main.yaml @@ -3,6 +3,7 @@ when: buildset_registry is not defined set_fact: buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}" + - name: Ensure registry cert directory exists file: path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/" @@ -12,7 +13,6 @@ content: "{{ buildset_registry.cert }}" dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/ca.crt" - # Update user config for intermediate and buildset registries - name: Ensure docker user directory exists file: diff --git a/roles/push-to-intermediate-registry/tasks/push.yaml b/roles/push-to-intermediate-registry/tasks/push.yaml index 3c71df47a..73a3cb3dc 100644 --- a/roles/push-to-intermediate-registry/tasks/push.yaml +++ b/roles/push-to-intermediate-registry/tasks/push.yaml @@ -3,6 +3,7 @@ when: buildset_registry is not defined set_fact: buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}" + - name: Ensure registry cert directory exists file: path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/" diff --git a/roles/use-buildset-registry/tasks/main.yaml b/roles/use-buildset-registry/tasks/main.yaml index f98820c91..97c5bb9ce 100644 --- a/roles/use-buildset-registry/tasks/main.yaml +++ b/roles/use-buildset-registry/tasks/main.yaml @@ -1,3 +1,23 @@ +# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag +# so we set up /etc/hosts with a registry alias name to support ipv6 and 4. +- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses + become: yes + lineinfile: + path: /etc/hosts + state: present + regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset_registry$" + line: "{{ buildset_registry.host }}\tzuul-jobs.buildset_registry" + insertafter: EOF + when: buildset_registry.host | ipaddr +- name: Set buildset_registry alias variable when using ip + set_fact: + buildset_registry_alias: zuul-jobs.buildset_registry + when: buildset_registry.host | ipaddr +- name: Set buildset_registry alias variable when using name + set_fact: + buildset_registry_alias: "{{ buildset_registry.host }}" + when: not ( buildset_registry.host | ipaddr ) + - name: Ensure docker directory exists become: yes file: @@ -6,23 +26,23 @@ - name: Ensure buildset registry cert directory exists become: true file: - path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/" + path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/" state: directory - name: Ensure proxy registry cert directory exists become: true file: - path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port }}/" + path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/" state: directory - name: Write buildset registry TLS certificate become: true copy: content: "{{ buildset_registry.cert }}" - dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/ca.crt" + dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt" - name: Write proxy registry TLS certificate become: true copy: content: "{{ buildset_registry.cert }}" - dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port }}/ca.crt" + dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/ca.crt" # Update daemon config - name: Check if docker daemon configuration exists @@ -46,7 +66,7 @@ - name: Add registry to docker daemon configuration vars: new_config: - registry-mirrors: "['https://{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port}}/', 'https://{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port}}/']" + registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port}}/', 'https://{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port}}/']" set_fact: docker_config: "{{ docker_config | combine(new_config) }}" - name: Save docker daemon configuration diff --git a/roles/use-buildset-registry/tasks/user-config.yaml b/roles/use-buildset-registry/tasks/user-config.yaml index 56b2d2124..09b0602df 100644 --- a/roles/use-buildset-registry/tasks/user-config.yaml +++ b/roles/use-buildset-registry/tasks/user-config.yaml @@ -29,9 +29,9 @@ { "https://index.docker.io/v1/": {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}, - "{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}": + "{{ buildset_registry_alias }}:{{ buildset_registry.port }}": {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}, - "{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port }}": + "{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}": {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"} } set_fact: