<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Hi
Hongbin<br>
<o:p></o:p></span><br>
</p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Thanks
for starting this thread,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">I
initial propose this bp because I am in China which is behind
China great wall and can not have access of gcr.io directly,
after checking our cloud-init script, I see that<o:p></o:p></span></p>
<span style="color:#1F497D" lang="EN-US">lots of code are *hard
coded* to using gcr.io, I personally though this is not good idea.
We can not force user/customer to have internet access in their
environment.<br>
<br>
I proposed to use insecure-registry to give customer/user (Chinese
or whom doesn't have gcr.io access) a chance to switch use their
own insecure-registry to deploy<br>
k8s/swarm bay.<br>
<br>
For your question:<br>
</span>><span style="color:#1F497D" lang="EN-US"><span
style="font-family:Symbol;color:#1F497D"><span
style="mso-list:Ignore"><span style="font:7.0pt "Times
New Roman"">
</span></span></span><span style="color:#1F497D">Is the
private registry secure or insecure? If secure, how to handle
the authentication secrets. If insecure, is it OK to connect a
secure bay to an insecure registry?<br>
An insecure-resigtry should be 'secure' one, since customer need
to setup it and make sure it's clear one and in this case, they
could be a private cloud.<br>
</span></span><br>
<span style="color:#1F497D" lang="EN-US"><span style="color:#1F497D"><span
style="font-family:Symbol;color:#1F497D"><span
style="mso-list:Ignore">> <span style="font:7.0pt
"Times New Roman""> </span></span></span><span
style="color:#1F497D">Should we provide an instruction for
users to pre-install the private registry? If not, how to
verify the correctness of this feature?</span><br>
<br>
The simply way to pre-install private registry is using
insecure-resigtry and docker.io has very simple steps to start
it [1]<br>
for other, docker registry v2 also supports using TLS enable
mode but this will require to tell docker client key and crt
file which will make "support-private-registry" complex.<br>
<br>
[1] <a class="moz-txt-link-freetext" href="https://docs.docker.com/registry/">https://docs.docker.com/registry/</a><br>
[2]<a class="moz-txt-link-freetext" href="https://docs.docker.com/registry/deploying/">https://docs.docker.com/registry/deploying/</a><br>
<br>
<br>
<br>
</span></span>
<div class="moz-cite-prefix">On 2016年03月30日 07:23, Hongbin Lu wrote:<br>
</div>
<blockquote
cite="mid:0957CD8F4B55C0418161614FEC580D6B01C46578@YYZEML702-CHM.china.huawei.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2027097765;
mso-list-type:hybrid;
mso-list-template-ids:1510265326 -1642551798 269025283 269025285 269025281 269025283 269025285 269025281 269025283 269025285;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;
mso-fareast-font-family:SimSun;
mso-bidi-font-family:"Times New Roman";}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi team,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">This is the
item we didn’t have time to discuss in our team meeting, so
I started the discussion in here.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Here is the
blueprint: <a moz-do-not-send="true"
href="https://blueprints.launchpad.net/magnum/+spec/support-private-registry">https://blueprints.launchpad.net/magnum/+spec/support-private-registry</a>
. Per my understanding, the goal of the BP is to allow users
to specify the url of their private docker registry where
the bays pull the kube/swarm images (if they are not able to
access docker hub or other public registry). An assumption
is that users need to pre-install their own private registry
and upload all the required images to there. There are
several potential issues of this proposal:<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="font-family:Symbol;color:#1F497D"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:#1F497D">Is the private registry secure or
insecure? If secure, how to handle the authentication
secrets. If insecure, is it OK to connect a secure bay to an
insecure registry?<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="font-family:Symbol;color:#1F497D"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:#1F497D">Should we provide an instruction for
users to pre-install the private registry? If not, how to
verify the correctness of this feature?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thoughts?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Hongbin<o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Best Regards, Eli Qiao (乔立勇)
Intel OTC China</pre>
</body>
</html>