<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Ricardo,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks for the willingness to implement the blueprint. I am looking forward to reviewing the implementation.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hongbin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Ricardo Rocha [mailto:rocha.porto@gmail.com]
<br>
<b>Sent:</b> March-30-16 10:59 AM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] [magnum] Discuss the blueprint"support-private-registry"<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Mar 30, 2016 at 4:20 PM, Kai Qiang Wu <<a href="mailto:wkqwu@cn.ibm.com" target="_blank">wkqwu@cn.ibm.com</a>> wrote:<o:p></o:p></p>
<div>
<p>I agree to that <tt><span style="font-size:10.0pt">support-private-registry</span></tt> should be secure. As insecure seems not much useful for production use.<br>
Also I understood the point setup related CA could be diffcult than normal HTTP, but we want to know if<br>
<a href="https://blueprints.launchpad.net/magnum/+spec/allow-user-softwareconfig" target="_blank">https://blueprints.launchpad.net/magnum/+spec/allow-user-softwareconfig</a><br>
<br>
Could address the issue and make templates clearer to understood ? If related patch or spec proposed, we are glad to review and make it better.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Yes, some local customization of the node setup would be great and help with the CA setup - we're willing to implement that blueprint.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Cheers,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Ricardo<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p><br>
<br>
<br>
<br>
Thanks<br>
<br>
Best Wishes,<br>
--------------------------------------------------------------------------------<br>
Kai Qiang Wu (<span lang="ZH-CN" style="font-family:SimSun">吴开强</span> Kennan<span lang="ZH-CN" style="font-family:SimSun">)</span><br>
IBM China System and Technology Lab, Beijing<br>
<br>
E-mail: <a href="mailto:wkqwu@cn.ibm.com" target="_blank">wkqwu@cn.ibm.com</a><br>
Tel: 86-10-82451647<br>
Address: Building 28(Ring Building), ZhongGuanCun Software Park, <br>
No.8 Dong Bei Wang West Road, Haidian District Beijing P.R.China 100193<br>
--------------------------------------------------------------------------------<br>
Follow your heart. You are miracle! <br>
<br>
<img border="0" width="16" height="16" id="_x0000_i1025" src="cid:image001.gif@01D18B39.D5CBE040" alt="Inactive hide details for Ricardo Rocha ---30/03/2016 09:09:14 pm---Hi. On Wed, Mar 30, 2016 at 3:59 AM, Eli Qiao <liyong.qiao@"><span style="color:#424282">Ricardo
Rocha ---30/03/2016 09:09:14 pm---Hi. On Wed, Mar 30, 2016 at 3:59 AM, Eli Qiao <<a href="mailto:liyong.qiao@intel.com" target="_blank">liyong.qiao@intel.com</a>> wrote:</span><br>
<br>
<span style="font-size:10.0pt;color:#5F5F5F">From: </span><span style="font-size:10.0pt">Ricardo Rocha <<a href="mailto:rocha.porto@gmail.com" target="_blank">rocha.porto@gmail.com</a>></span><br>
<span style="font-size:10.0pt;color:#5F5F5F">To: </span><span style="font-size:10.0pt">"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>></span><br>
<span style="font-size:10.0pt;color:#5F5F5F">Date: </span><span style="font-size:10.0pt">30/03/2016 09:09 pm</span><br>
<span style="font-size:10.0pt;color:#5F5F5F">Subject: </span><span style="font-size:10.0pt">Re: [openstack-dev] [magnum] Discuss the blueprint "support-private-registry"</span><o:p></o:p></p>
<div class="MsoNormal">
<hr size="2" width="100%" noshade="" style="color:#8091A5" align="left">
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<br>
<tt><span style="font-size:10.0pt">Hi.</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<tt>On Wed, Mar 30, 2016 at 3:59 AM, Eli Qiao <<a href="mailto:liyong.qiao@intel.com" target="_blank">liyong.qiao@intel.com</a>> wrote:</tt><br>
<tt>></tt><br>
<tt>> Hi Hongbin</tt><br>
<tt>></tt><br>
<tt>> Thanks for starting this thread,</tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>> I initial propose this bp because I am in China which is behind China great</tt><br>
<tt>> wall and can not have access of <a href="http://gcr.io" target="_blank">gcr.io</a> directly, after checking our</tt><br>
<tt>> cloud-init script, I see that</tt><br>
<tt>></tt><br>
<tt>> lots of code are *hard coded* to using <a href="http://gcr.io" target="_blank">
gcr.io</a>, I personally though this is</tt><br>
<tt>> not good idea. We can not force user/customer to have internet access in</tt><br>
<tt>> their environment.</tt><br>
<tt>></tt><br>
<tt>> I proposed to use insecure-registry to give customer/user (Chinese or whom</tt><br>
<tt>> doesn't have <a href="http://gcr.io" target="_blank">gcr.io</a> access) a chance to switch use their own</tt><br>
<tt>> insecure-registry to deploy</tt><br>
<tt>> k8s/swarm bay.</tt><br>
<tt>></tt><br>
<tt>> For your question:</tt><br>
<tt>>> Is the private registry secure or insecure? If secure, how to handle</tt><br>
<tt>>> the authentication secrets. If insecure, is it OK to connect a secure bay to</tt><br>
<tt>>> an insecure registry?</tt><br>
<tt>> An insecure-resigtry should be 'secure' one, since customer need to setup it</tt><br>
<tt>> and make sure it's clear one and in this case, they could be a private</tt><br>
<tt>> cloud.</tt><br>
<tt>></tt><br>
<tt>>> Should we provide an instruction for users to pre-install the private</tt><br>
<tt>>> registry? If not, how to verify the correctness of this feature?</tt><br>
<tt>></tt><br>
<tt>> The simply way to pre-install private registry is using insecure-resigtry</tt><br>
<tt>> and <a href="http://docker.io" target="_blank">docker.io</a> has very simple steps to start it [1]</tt><br>
<tt>> for other, docker registry v2 also supports using TLS enable mode but this</tt><br>
<tt>> will require to tell docker client key and crt file which will make</tt><br>
<tt>> "support-private-registry" complex.</tt><br>
<tt>></tt><br>
<tt>> [1] <a href="https://docs.docker.com/registry/" target="_blank">https://docs.docker.com/registry/</a></tt><br>
<tt>> [2]<a href="https://docs.docker.com/registry/deploying/" target="_blank">https://docs.docker.com/registry/deploying/</a></tt><br>
<br>
<tt>'support-private-registry' and 'allow-insecure-registry' sound different to me.</tt><br>
<br>
<tt>We're using an internal docker registry at CERN (v2, TLS enabled), and</tt><br>
<tt>have the magnum nodes setup to use it.</tt><br>
<br>
<tt>We just install our CA certificates in the nodes (cp to</tt><br>
<tt>etc/pki/ca-trust/source/anchors/, update-ca-trust) - had to change the</tt><br>
<tt>HEAT templates for that, and submitted a blueprint to be able to do</tt><br>
<tt>similar things in a cleaner way:</tt><br>
<tt><a href="https://blueprints.launchpad.net/magnum/+spec/allow-user-softwareconfig" target="_blank">https://blueprints.launchpad.net/magnum/+spec/allow-user-softwareconfig</a></tt><br>
<br>
<tt>That's all that is needed, the images are then prefixed with the</tt><br>
<tt>registry dns location when referenced - example:</tt><br>
<tt><a href="http://docker.cern.ch/my-fancy-image" target="_blank">docker.cern.ch/my-fancy-image</a>.</tt><br>
<br>
<tt>Things we found on the way:</tt><br>
<tt>- registry v2 doesn't seem to allow anonymous pulls (you can always</tt><br>
<tt>add an account with read-only access everywhere, but it means you need</tt><br>
<tt>to always authenticate at least with this account)</tt><br>
<tt><a href="https://github.com/docker/docker/issues/17317" target="_blank">https://github.com/docker/docker/issues/17317</a></tt><br>
<tt>- swarm 1.1 and kub8s 1.0 allow authentication to the registry from</tt><br>
<tt>the client (which was good news, and it works fine), handy if you want</tt><br>
<tt>to push/pull with authentication.</tt><br>
<br>
<tt>Cheers,</tt><br>
<tt> Ricardo</tt><br>
<br>
<tt>></tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>> On 2016</tt></span><tt><span lang="ZH-CN" style="font-size:10.0pt;font-family:SimSun">年</span></tt><tt><span style="font-size:10.0pt">03</span></tt><tt><span lang="ZH-CN" style="font-size:10.0pt;font-family:SimSun">月</span></tt><tt><span style="font-size:10.0pt">30</span></tt><tt><span lang="ZH-CN" style="font-size:10.0pt;font-family:SimSun">日</span></tt><tt><span style="font-size:10.0pt">
07:23, Hongbin Lu wrote:</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>></tt><br>
<tt>> Hi team,</tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>> This is the item we didn’t have time to discuss in our team meeting, so I</tt><br>
<tt>> started the discussion in here.</tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>> Here is the blueprint:</tt><br>
<tt>> <a href="https://blueprints.launchpad.net/magnum/+spec/support-private-registry" target="_blank">
https://blueprints.launchpad.net/magnum/+spec/support-private-registry</a> . Per</tt><br>
<tt>> my understanding, the goal of the BP is to allow users to specify the url of</tt><br>
<tt>> their private docker registry where the bays pull the kube/swarm images (if</tt><br>
<tt>> they are not able to access docker hub or other public registry). An</tt><br>
<tt>> assumption is that users need to pre-install their own private registry and</tt><br>
<tt>> upload all the required images to there. There are several potential issues</tt><br>
<tt>> of this proposal:</tt><br>
<tt>></tt><br>
<tt>> · Is the private registry secure or insecure? If secure, how to</tt><br>
<tt>> handle the authentication secrets. If insecure, is it OK to connect a secure</tt><br>
<tt>> bay to an insecure registry?</tt><br>
<tt>></tt><br>
<tt>> · Should we provide an instruction for users to pre-install the</tt><br>
<tt>> private registry? If not, how to verify the correctness of this feature?</tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>> Thoughts?</tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>> Best regards,</tt><br>
<tt>></tt><br>
<tt>> Hongbin</tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>> __________________________________________________________________________</tt><br>
<tt>> OpenStack Development Mailing List (not for usage questions)</tt><br>
<tt>> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a></tt><br>
<tt>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>> --</tt><br>
<tt>> Best Regards, Eli Qiao (</tt></span><tt><span lang="ZH-CN" style="font-size:10.0pt;font-family:SimSun">乔立勇</span></tt><tt><span style="font-size:10.0pt">)</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>> Intel OTC China</tt><br>
<tt>></tt><br>
<tt>></tt><br>
<tt>> __________________________________________________________________________</tt><br>
<tt>> OpenStack Development Mailing List (not for usage questions)</tt><br>
<tt>> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a></tt><br>
<tt>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></tt><br>
<tt>></tt><br>
<br>
<tt>__________________________________________________________________________</tt><br>
<tt>OpenStack Development Mailing List (not for usage questions)</tt><br>
<tt>Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a></tt><br>
<tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></tt><br>
</span><br>
<br>
<o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>