[openstack-dev] [kolla][infra] Publishing kolla images to docker-registry.openstack.org
Steven Dake (stdake)
stdake at cisco.com
Sat Feb 20 13:21:44 UTC 2016
I'd like to see a full CI/CD pipeline of Kolla to an OpenStack infrastructure hosted registry.
With docker registry 2.2 and earlier a Docker push of Kolla containers took 5-10 hours. This is because of design problems in Docker which made a push each layer of each Docker image repeatedly. This has been rectified in docker-regitery 2.3 (the latest hub tagged docker registry). The 5-10 hour upload times are now down to about 15 minutes. Now it takes approximately 15 minutes to push all 115 kolla containers on a gigabit network.
Kolla in general wants to publish to a docker registry at least per tag, and possibly per commit (or alternatively daily). We already build Kolla images in the gate, and although sometimes our jobs time out on CentOS the build on Ubuntu is about 12 minutes. The reason our jobs time out on CentOS is because we lack local to the infrastructure mirrors as is available on Ubuntu from a recent patch I believe that Monty offered.
We have one of two options going forward
1. We could publish to the docker hub registry
2. We could publish to docker-registry.openstack.org
Having a docker-registry.openstack.org would be my preference, but requires a machine with plenty of disk space and a copy of docker 1.10.1 or later running on it. The docker-registry 2.3 and later runs as a container inside Docker. The machine could be Ubuntu or CentOS - we have gate scripts for both that do the machine setup which the infrastructure team could begin with I don't care which distro is used for docker registry - it reallly shouldn't matter as it will be super lightweight and really only need a /var/lib/docker that is fast and large. Kolla dev's can help get the docker registry setup and provide guidance to the infrastructure team on how to setup Docker, but I'm unclear of OpenStack has resources to make this particular request happen.
NB the machine need not be baremetal - it really doesn't matter. It does need fast bi-directional networking and fast disk IO to meet the gate timeout requirements and Operator requirements that a pull is speedy. The other change needed is a CentOS mirror internal to the infrastructure, so our CentOS jobs don't time out and we can push per cmmit (or we could add a nightly job).
This is something new OpenStack hasn't done before, so feedback from the infrastructure team welcome if that team is willing to maintain a docker-registry.openstack.org. The other challenge here will be authentication - we setup our gate Docker without TLS because we throw away the VMs but infra will want to setup TLS with the docker registry. Folks wanting to use the docker reigstry service from OpenStack will need to be able to put TLS credentials in the gating in some way. I'm not sure we want to just check these credentials into our repository - which means they need to somehow be injected into our VMs to protect the security of the Docker images.
If infra decides they don't want to take on a docker-registry.openstack.org, guidance on how to get our credentials securely into our built VM would be helpful.
One final note - Docker can be setup to use Swift as a storage backend, or alternatively can use straight up disk space on the node. It can also publish to an AWS storage backend and has many other storage backend modes.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev