Open Stack

Hi Steve

When you say the registry would require a machine with plenty of disk
space, do you have an estimate of storage needed?

Regards

2016-02-20 14:21 GMT+01:00 Steven Dake (stdake) <stdake at cisco.com>:

> Infra folks,
>
> I'd like to see a full CI/CD pipeline of Kolla to an OpenStack
> infrastructure hosted registry.
>
> With docker registry 2.2 and earlier a Docker push of Kolla containers
> took 5-10 hours.  This is because of design problems in Docker which made a
> push each layer of each Docker image repeatedly.  This has been rectified
> in docker-regitery 2.3 (the latest hub tagged docker registry).  The 5-10
> hour upload times are now down to about 15 minutes.  Now it takes
> approximately 15 minutes to push all 115 kolla containers on a gigabit
> network.
>
> Kolla in general wants to publish to a docker registry at least per tag,
> and possibly per commit (or alternatively daily).  We already build Kolla
> images in the gate, and although sometimes our jobs time out on CentOS the
> build on Ubuntu is about 12 minutes.  The reason our jobs time out on
> CentOS is because we lack local to the infrastructure mirrors as is
> available on Ubuntu from a recent patch I believe that Monty offered.
>
> We have one of two options going forward
>
>    1. We could publish to the docker hub registry
>    2. We could publish to docker-registry.openstack.org
>
> Having a docker-registry.openstack.org would be my preference, but
> requires a machine with plenty of disk space and a copy of docker 1.10.1 or
> later running on it.  The docker-registry 2.3 and later runs as a container
> inside Docker.  The machine could be Ubuntu or CentOS – we have gate
> scripts for both that do the machine setup which the infrastructure team
> could begin with[1][2]  I don't care which distro is used for docker
> registry – it reallly shouldn't matter as it will be super lightweight and
> really only need a /var/lib/docker that is fast and large.  Kolla dev's can
> help get the docker registry setup and provide guidance to the
> infrastructure team on how to setup Docker, but I'm unclear of OpenStack
> has resources to make this particular request happen.
>
> NB the machine need not be baremetal – it  really doesn't matter.  It does
> need fast bi-directional networking and fast disk IO to meet the gate
> timeout requirements and Operator requirements that a pull is speedy.  The
> other change needed is a CentOS mirror internal to the infrastructure, so
> our CentOS jobs don't time out and we can push per cmmit (or we could add a
> nightly job).
>
> This is something new OpenStack hasn't done before, so feedback from the
> infrastructure team welcome if that team is willing to maintain a
> docker-registry.openstack.org.  The other challenge here will be
> authentication – we setup our gate Docker without TLS because we throw away
> the VMs but infra will want to setup TLS with the docker registry.  Folks
> wanting to use the docker reigstry service from OpenStack will need to be
> able to put TLS credentials in the gating in some way.  I'm not sure we
> want to just check these credentials into our repository – which means they
> need to somehow be injected into our VMs to protect the security of the
> Docker images.
>
> If infra decides they don’t want to take on a
> docker-registry.openstack.org, guidance on how to get our credentials
> securely into our built VM would be helpful.
>
> One final note – Docker can be setup to use Swift as a storage backend, or
> alternatively can use straight up disk space on the node.  It can also
> publish to an AWS storage backend and has many other storage backend modes.
>
> Regards
> -steve
>
>
> [1] https://github.com/openstack/kolla/blob/master/tools/setup_RedHat.sh
> [2] https://github.com/openstack/kolla/blob/master/tools/setup_Debian.sh
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160220/adf657a4/attachment.html>