Page MenuHomePhabricator
Create Task
Maniphest T118758

Setup private docker registry with authentication support in tools
Closed, ResolvedPublic
Actions

Description

So we can stop depending on dockerhub.

Needs both TLS and Basic Auth support.

Details

SubjectRepoBranchLines +/-
Revert "labs: Add support for custom cnames in labs recursor"operations/puppetproduction+2 -37
labs: Add support for custom cnames in labs recursoroperations/puppetproduction+37 -2
labs: Revert all work around CNAMEs for toollabsoperations/puppetproduction+0 -0
labs: Revert all work around CNAMEs for toollabsoperations/puppetproduction+0 -21
labs: Set tools zonefile to be loadedoperations/puppetproduction+1 -1
labs: Add CNAMES for tools specific thingsoperations/puppetproduction+21 -0
tools: Add authentication for docker registryoperations/puppetproduction+16 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

yuvipanda created this task.Nov 16 2015, 6:04 PM
yuvipanda claimed this task.
yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added projects: Cloud-Services, SRE.
yuvipanda subscribed.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptNov 16 2015, 6:04 PM
yuvipanda triaged this task as Medium priority.Nov 23 2015, 6:04 PM
yuvipanda set Security to None.
gerritbot subscribed.Feb 29 2016, 12:49 AM

Change 273840 had a related patch set uploaded (by Yuvipanda):
tools: Add authentication for docker registry

https://gerrit.wikimedia.org/r/273840

gerritbot added a project: Patch-For-Review.Feb 29 2016, 12:49 AM
gerritbot added a comment.Feb 29 2016, 5:14 PM

Change 273840 merged by Yuvipanda:
tools: Add authentication for docker registry

https://gerrit.wikimedia.org/r/273840

yuvipanda added a comment.Mar 1 2016, 12:00 AM

This now works properly, and I can push and pull!

However, docker has decided to do incredibly braindead things and ties image names to include a *hostname*, so I can't just have them be tools-docker-registry-01.

I'll probably need to setup a CNAME for tools-docker-registry.tools.eqiad.wmflabs...

gerritbot added a comment.Mar 1 2016, 5:42 PM

Change 274148 had a related patch set uploaded (by Yuvipanda):
labs: Add CNAMES for tools specific things

https://gerrit.wikimedia.org/r/274148

gerritbot added a comment.Mar 1 2016, 5:57 PM

Change 274148 merged by Yuvipanda:
labs: Add CNAMES for tools specific things

https://gerrit.wikimedia.org/r/274148

gerritbot added a comment.Mar 1 2016, 6:11 PM

Change 274160 had a related patch set uploaded (by Yuvipanda):
labs: Set tools zonefile to be loaded

https://gerrit.wikimedia.org/r/274160

gerritbot added a comment.Mar 1 2016, 6:14 PM

Change 274160 merged by Yuvipanda:
labs: Set tools zonefile to be loaded

https://gerrit.wikimedia.org/r/274160

yuvipanda added a comment.Mar 1 2016, 6:22 PM

the CNAME is setup, and https://wikitech.wikimedia.org/w/index.php?title=Hiera%3ATools%2Fhost%2Ftools-docker-registry-01&type=revision&diff=336976&oldid=284007 is starting towards the SAN for the SSL cert...

yuvipanda added a comment.Mar 1 2016, 7:37 PM

Meh, that screwed up, reverting all the CNAME work...

gerritbot added a comment.Mar 1 2016, 7:38 PM

Change 274179 had a related patch set uploaded (by Yuvipanda):
labs: Revert all work around CNAMEs for toollabs

https://gerrit.wikimedia.org/r/274179

gerritbot added a comment.Mar 1 2016, 7:41 PM

Change 274180 had a related patch set uploaded (by Yuvipanda):
labs: Revert all work around CNAMEs for toollabs

https://gerrit.wikimedia.org/r/274180

gerritbot added a comment.Mar 1 2016, 7:45 PM

Change 274180 merged by Yuvipanda:
labs: Revert all work around CNAMEs for toollabs

https://gerrit.wikimedia.org/r/274180

scfc added subscribers: Joe, scfc.Mar 1 2016, 8:03 PM

Is @Joe's T123628 a duplicate of this task? AFAIUI, there the registry would be a container and the name issue solved like other containers?

If there needs to be a CNAME, why not add it to operations/dns? Does it need to be in *.tools.eqiad.wmflabs?

yuvipanda merged a task: T123628: Install a docker registry to be used by kubernetes.Mar 1 2016, 8:04 PM
yuvipanda added subscribers: JanZerebecki, valhallasw, zhuyifei1999 and 2 others.

Indeed it's the same, I've merged it in.

The reason it's not just a container is mostly because we don't have swift on the horizon yet and I'm *far* more averse to putting anything on NFS now :)

And I want it to be a CNAME under tools since this is tools specific, and not super general - only root can pull / push from it.

yuvipanda added a comment.Mar 1 2016, 8:07 PM

That ticket also has a far more complex setup for a ful PaaS system that we aren't doing yet (and when we do do it, we shouldn't be building our own but using a system like OpenShift / Deis), so have merged that into this.

gerritbot added a comment.Mar 4 2016, 1:50 AM

Change 274179 abandoned by Yuvipanda:
labs: Revert all work around CNAMEs for toollabs

https://gerrit.wikimedia.org/r/274179

yuvipanda added a parent task: T129309: Goal: Allow using k8s instead of GridEngine as a backend for webservices.Mar 9 2016, 4:28 AM
gerritbot added a comment.Mar 21 2016, 3:58 AM

Change 278705 had a related patch set uploaded (by Yuvipanda):
labs: Add support for custom cnames in labs recursor

https://gerrit.wikimedia.org/r/278705

gerritbot added a comment.Mar 22 2016, 5:01 PM

Change 278705 merged by Yuvipanda:
labs: Add support for custom cnames in labs recursor

https://gerrit.wikimedia.org/r/278705

gerritbot added a comment.Mar 22 2016, 8:11 PM

Change 278964 had a related patch set uploaded (by Yuvipanda):
Revert "labs: Add support for custom cnames in labs recursor"

https://gerrit.wikimedia.org/r/278964

gerritbot added a comment.Mar 22 2016, 8:12 PM

Change 278964 merged by Yuvipanda:
Revert "labs: Add support for custom cnames in labs recursor"

https://gerrit.wikimedia.org/r/278964

yuvipanda closed this task as Resolved.Mar 22 2016, 8:49 PM

I've reverted all the CNAME work - @Joe pointed out that we'll want to have the registry available (in a readonly mode) to the whole world at some point anyway, so it's ok to use tools-docker-registry.wmflabs.org (and eventually, docker-registry.tools.wmflabs.org). So it is serving on port 443 on tools-docker-registry.wmflabs.org now.

I count this as done! \o/

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits