Background
We're looking at this during the Release-Engineering-Team (GitLab-a-thon 🦊) sprint as a potential default for building / publishing images from GitLab CI. In particular, the docs mention per-job registry users and tokens and make this seem like an intended workflow. After some discussion, we're leaning towards the idea that this would make sense:
- As an intermediary publication target for images to later be imported into the production registry.
- For caching purposes.
- Explicitly not as a permanent / guaranteed nonvolatile store of images.
Notes
Upstream documentation here:
- https://docs.gitlab.com/ee/user/packages/container_registry/
- https://docs.gitlab.com/ee/administration/packages/container_registry.html
Our omnibus installation currently has the registry disabled instance-wide with registry['enable'] = false in gitlab.rb. This is modules/gitlab/templates/gitlab.rb.erb in ops/puppet.
The registry defaults to local filesystem storage in /var/opt/gitlab/gitlab-rails/shared/registry, but other backends are supported:
Driver | Description |
filesystem | Uses a path on the local file system |
azure | Microsoft Azure Blob Storage |
gcs | Google Cloud Storage |
s3 | Amazon Simple Storage Service. Be sure to configure your storage bucket with the correct s3 Permission Scopes. |
swift | OpenStack Swift Object Storage |
oss | Aliyun OSS |
There's not currently a way to impose a storage quota.
Questions
A starting list:
- What would it take to do storage correctly?
- As I understand it, docker-registry.wikimedia.org is backed by Swift. Could/should we do the same here?
- Alternatively, would filesystem storage be good enough?
- If so, how much space would we need?
- Is it actually safe to assume we wouldn't need to handle backups here?
- How would we handle garbage collection?
- There's a command for this, but note: "You must set the Registry to read-only mode. Running garbage collection causes downtime for the Container Registry."
- "Retention policies within your object storage provider, such as Amazon s3 Lifecycle, may prevent objects from being properly deleted."
- Deleting images from the existing registry is tricky; would the same be true if we used Swift for storage here?
A lot of these are questions for serviceops folks.