Page MenuHomePhabricator
Create Task
Maniphest T304845

gitlab: consider enabling docker container registry
Closed, DeclinedPublicFeature
Actions

Description

Gtilab is capable of having a docker container registry per repository, see here
https://gitlab.wikimedia.org/help/user/packages/container_registry/index.md

There are capacity & storage questions to be considered, and perhaps the answer is to enable the docker registry only on-demand, on a per-repo basis, which I ignore if gitlabs allows.

Some example use cases:

  • For Toolforge, for example, we already have one docker registry, which can be browsed at https://docker-registry.toolforge.org/. This registry is, however, managed by hand, poorly integrated into code repositories. Replacing it (or parts of it) with gitlab-generated registries would be really nice.
  • Also for Toolforge, we're currently experimenting with harbor https://goharbor.io/ to allow per-tool docker registries. Our plan is to keep working with harbor for now, but if gitlab had this feature enabled, then we could certainly add another potential solutions to the kind of problems we're trying to solve.
  • I can also think on another use case: to generate gitlab CI-related docker container images from gitlab itself. Storing those images meant to be used only for gitlab in a registry maintained by gitlab seems elegant and a legit use case.

These are just 3 simple examples. Perhaps others may have more ideas, but for now, I wanted to capture them in this ticket.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
GitLab: enable container registryoperations/puppetproduction+35 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

aborrero created this task.Mar 28 2022, 2:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2022, 2:59 PM
aborrero triaged this task as Medium priority.Mar 28 2022, 2:59 PM
aborrero added a project: cloud-services-team (Kanban).
aborrero moved this task from Inbox to Watching on the cloud-services-team (Kanban) board.
aborrero changed the subtype of this task from "Task" to "Feature Request".
RhinosF1 subscribed.Mar 28 2022, 6:13 PM
Aklapper removed a subscriber: cloud-services-team (Kanban).Mar 29 2022, 12:52 PM
Ottomata added subscribers: gmodena, Ottomata.Mar 29 2022, 3:59 PM

generate gitlab CI-related docker container images from gitlab itself

data engineering and platform engineering would love to be able to do this. See: T304450: Create conda .deb and docker image cc @gmodena

aborrero added a comment.Mar 29 2022, 4:15 PM

The idea to have this gitlab CI-related container images stored in gitlab itself came from this PoC:

1-- https://gitlab.wikimedia.org/repos/cloud/toolforge/jobs-framework-api/-/blob/main/.gitlab-ci.yml

This repo has a gitlab-ci.yaml file that points to another repository:

include:
 - https://gitlab.wikimedia.org/repos/cloud/cicd/gitlab-ci/-/raw/main/py3.9-buster-tox/gitlab-ci.yaml

2-- https://gitlab.wikimedia.org/repos/cloud/cicd/gitlab-ci/-/blob/main/py3.9-bullseye-tox/gitlab-ci.yaml
The included gitlab-ci.yaml file contains the definition for a simple python tox test. But it uses a docker image, where is that image?

image: "docker-registry.tools.wmflabs.org/cloud-cicd-py39bullseye-tox:latest"

tox:
  stage: test
  script:
    - tox

3-- https://gitlab.wikimedia.org/repos/cloud/cicd/gitlab-ci/-/blob/main/py3.9-bullseye-tox/Dockerfile

FROM docker-registry.tools.wmflabs.org/python:3.9-slim-bullseye
RUN pip install tox

The image can be built from this same repository, and hosted on a dedicated docker registry. For this example, since we don't have a dedicated docker registry in gitlab we're using the Toolforge docker registry.
Also, in this example the base image (python:3.9-slim-bullseye) has been cached as well on the Toolforge docker registry (given the ratelimits on docker hub).

This setup just works, see here for example: https://gitlab.wikimedia.org/repos/cloud/toolforge/jobs-framework-api/-/pipelines/2768

brennen moved this task from Inbox to Administration, Settings & Policy on the GitLab board.Apr 18 2022, 7:02 PM
brennen edited projects, added GitLab (Administration, Settings & Policy); removed GitLab.
brennen added a project: Release-Engineering-Team (GitLab-a-thon 🦊).May 3 2022, 4:59 PM
brennen subscribed.

Tagging for evaluation during Release-Engineering-Team (GitLab-a-thon 🦊).

brennen changed the status of subtask T307537: Assess GitLab Container Registry as a default for container build processes from Open to In Progress.May 10 2022, 5:27 PM
dduvall removed a subtask: T308080: Replicate select published images from GitLab container registry to WMF prod registry.May 10 2022, 10:38 PM
dduvall added a parent task: T308080: Replicate select published images from GitLab container registry to WMF prod registry.
brennen changed the status of subtask T307537: Assess GitLab Container Registry as a default for container build processes from In Progress to Stalled.May 11 2022, 11:33 PM
akosiaris subscribed.May 17 2022, 3:20 PM
Ottomata mentioned this in T304450: Create conda .deb and docker image.May 19 2022, 4:48 PM
brennen mentioned this in T307537: Assess GitLab Container Registry as a default for container build processes.May 25 2022, 10:04 PM
brennen closed subtask T307537: Assess GitLab Container Registry as a default for container build processes as Resolved.
brennen added a comment.May 25 2022, 10:08 PM

See T307537: Assess GitLab Container Registry as a default for container build processes for relevant discussion here. I think consensus in RelEng is that it would be useful to enable this, although it's not a strict blocker to an image publishing pathway.

A blocker to anything other than limited experimental use is T307142: bring new gitlab hardware servers into production, since we're currently pretty constrained on storage.

LSobanski subscribed.May 26 2022, 12:33 PM
gerritbot added a comment.Jun 3 2022, 7:55 PM

Change 790778 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):

[operations/puppet@production] GitLab: enable container registry

https://gerrit.wikimedia.org/r/790778

gerritbot added a project: Patch-For-Review.Jun 3 2022, 7:55 PM
BTullis subscribed.Jun 8 2022, 4:24 PM
thcipriani changed the task status from Open to Stalled.Jun 21 2022, 6:19 PM
thcipriani subscribed.

After chatting with individual RelEngers, I wanted to add some clarification here.

From RelEng's perspective:

  1. We're not enabling the registry in the near term
  2. We'd like to use JSON Web Tokens for pushing to our production registry as our build process: T308501: Authenticate trusted runners for registry access against GitLab using temporary JSON Web Token (we're working with SRE to get that done)
  3. GitLab's registry has a lot of nice features, but if we decide to go that route we'll ensure we discuss with both SRE and WMCS before we do

In the interim, marking this as stalled until we are ready to have those discussions.

Ottomata added a comment.Jun 22 2022, 12:07 PM

Aw, that is unfortunate! We were really hoping for this soon to help speed up CI times by prebuilding CI images. Several of our CI pipelines use conda environments and/or Spark, and installing all that from scratch for each pipeline run makes tests take 7 minutes or more.

akosiaris added a subscriber: hashar.Jun 22 2022, 12:18 PM
In T304845#8019564, @Ottomata wrote:

Aw, that is unfortunate! We were really hoping for this soon to help speed up CI times by prebuilding CI images. Several of our CI pipelines use conda environments and/or Spark, and installing all that from scratch for each pipeline run makes tests take 7 minutes or more.

To my understanding, you can prebuild CI images now too. See https://gerrit.wikimedia.org/r/plugins/gitiles/integration/config/+/master/dockerfiles/ for examples.

@hashar should be able to provide guidance if that is the best approach for what you want to do.

Ottomata added a comment.Jun 22 2022, 12:30 PM

Hm, yeah @hashar had told me not to do this, because the intention was to eventually deprecate integration/config dockerfiles in favor of gitlab. Perhaps since gitlab won't support this soon, we should use integration/config now?

Ottomata mentioned this in T311111: Improve speed of Gitlab CI.Jun 22 2022, 12:52 PM
thcipriani edited projects, added Release-Engineering-Team (Priority Backlog 📥); removed Release-Engineering-Team (GitLab-a-thon 🦊).Sep 7 2022, 3:44 PM
gerritbot added a comment.Sep 20 2022, 8:59 PM

Change 790778 abandoned by Brennen Bearnes:

[operations/puppet@production] GitLab: enable container registry

Reason:

https://gerrit.wikimedia.org/r/790778

Maintenance_bot removed a project: Patch-For-Review.Sep 20 2022, 9:30 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:40 PM
fnegri moved this task from Kanban to Watching on the cloud-services-team board.
Mhurd subscribed.May 23 2023, 1:25 AM

I'm exploring producing some Docker image build artifacts and saw this wasn't enabled in our install

Would be really cool if I could use Gitlab's container registry at some point, but I understand there are concerns which may need to be addressed first

dcaro subscribed.May 23 2023, 8:08 AM

Quick update on toolforge side, we are currently using harbor (https://goharbor.io) for tool images, and for toolforge images too.

We are investigating how to build images on gitlab and push to our harbor instance for our system components (T336130: Automatically build Toolforge infrastructure container images in GitLab), but we are not blocked by needing an image repository.
It's not a public repository though, so you can't push whatever you want there, but would be interesting eventually to reuse gitlab build system if possible (we are pretty tied to buildpacks though).

Sportzpikachu subscribed.Oct 8 2023, 2:52 PM
Don-vip awarded a token.Jan 20 2024, 11:46 AM
Don-vip subscribed.
XtexChooser subscribed.Apr 25 2025, 4:01 PM
DPogorzelski-WMF subscribed.Wed, Nov 12, 4:08 PM

The ML team needs a place where to store large LLM docker container images and gitlab registry is a solution we would like to test.
At the same time we intend to use gitlab's pipelines so keeping the entire production flow in a single place will streamline the product development workflow.

thcipriani added a comment.Wed, Nov 12, 5:59 PM
In T304845#11367372, @DPogorzelski-WMF wrote:

The ML team needs a place where to store large LLM docker container images and gitlab registry is a solution we would like to test.
At the same time we intend to use gitlab's pipelines so keeping the entire production flow in a single place will streamline the product development workflow.

Hey @DPogorzelski-WMF publishing from our GitLab to docker-registry.wikimedia.org would likely be your best path here. Docs for this workflow are on MediaWiki.org/GitLab. This registry is well-maintained and should (I hope) accommodate your needs.

thcipriani closed this task as Declined.Wed, Nov 12, 6:27 PM

Declining this task to be clear we have no intention of turning on the GitLab docker image registry.

There are two registries that are maintained and cover big use-cases: toolforge images and images needed for Wikimedia production.

Turning on the GitLab registry would take both people and computers to provide a registry that makes users happy. The GitLab registry lacks:

  • a reliable/expandable way to store and serve a growing number of images
  • humans to build, maintain, and document a additional registry in our environment. Including maintenance of the backend that stores and serves a growing number of images well and with reasonable uptime.

Many (though admittedly not all) use-cases here should be covered by existing, well-maintained registries and processes. The existing registries and processes are what we should strive to keep improving and maintaining.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits