[openstack-dev] [kolla][infra] Publishing kolla images to docker-registry.openstack.org

Michał Jastrzębski inc007 at gmail.com
Sun Feb 21 16:26:45 UTC 2016

I'd say 5Gigs should be enough for all the images per distro (maybe
less if we have to squeeze). Since we have have 2 strongly supported
distro 10Gigs. If we would like to add all distros we support, that's
20-25 (I think). That also depends how many older versions we want to
keep (current+stable would be absolute minimum, we might increase it
to milestones). We have lot's of options to tweak so no one will get
hurt, and if we have dedicated machine for us (which we should because
apart from disk space, registry can actually eat up lots of IOPS, can
be VM tho with disk that can handle that), I think any dedicated,
industry standard, disk should be enough (but SSD would be great).


On 20 February 2016 at 16:14, Ricardo Carrillo Cruz
<ricardo.carrillo.cruz at gmail.com> wrote:
> Hi Steve
> When you say the registry would require a machine with plenty of disk space,
> do you have an estimate of storage needed?
> Regards
> 2016-02-20 14:21 GMT+01:00 Steven Dake (stdake) <stdake at cisco.com>:
>> Infra folks,
>> I'd like to see a full CI/CD pipeline of Kolla to an OpenStack
>> infrastructure hosted registry.
>> With docker registry 2.2 and earlier a Docker push of Kolla containers
>> took 5-10 hours.  This is because of design problems in Docker which made a
>> push each layer of each Docker image repeatedly.  This has been rectified in
>> docker-regitery 2.3 (the latest hub tagged docker registry).  The 5-10 hour
>> upload times are now down to about 15 minutes.  Now it takes approximately
>> 15 minutes to push all 115 kolla containers on a gigabit network.
>> Kolla in general wants to publish to a docker registry at least per tag,
>> and possibly per commit (or alternatively daily).  We already build Kolla
>> images in the gate, and although sometimes our jobs time out on CentOS the
>> build on Ubuntu is about 12 minutes.  The reason our jobs time out on CentOS
>> is because we lack local to the infrastructure mirrors as is available on
>> Ubuntu from a recent patch I believe that Monty offered.
>> We have one of two options going forward
>> We could publish to the docker hub registry
>> We could publish to docker-registry.openstack.org
>> Having a docker-registry.openstack.org would be my preference, but
>> requires a machine with plenty of disk space and a copy of docker 1.10.1 or
>> later running on it.  The docker-registry 2.3 and later runs as a container
>> inside Docker.  The machine could be Ubuntu or CentOS – we have gate scripts
>> for both that do the machine setup which the infrastructure team could begin
>> with[1][2]  I don't care which distro is used for docker registry – it
>> reallly shouldn't matter as it will be super lightweight and really only
>> need a /var/lib/docker that is fast and large.  Kolla dev's can help get the
>> docker registry setup and provide guidance to the infrastructure team on how
>> to setup Docker, but I'm unclear of OpenStack has resources to make this
>> particular request happen.
>> NB the machine need not be baremetal – it  really doesn't matter.  It does
>> need fast bi-directional networking and fast disk IO to meet the gate
>> timeout requirements and Operator requirements that a pull is speedy.  The
>> other change needed is a CentOS mirror internal to the infrastructure, so
>> our CentOS jobs don't time out and we can push per cmmit (or we could add a
>> nightly job).
>> This is something new OpenStack hasn't done before, so feedback from the
>> infrastructure team welcome if that team is willing to maintain a
>> docker-registry.openstack.org.  The other challenge here will be
>> authentication – we setup our gate Docker without TLS because we throw away
>> the VMs but infra will want to setup TLS with the docker registry.  Folks
>> wanting to use the docker reigstry service from OpenStack will need to be
>> able to put TLS credentials in the gating in some way.  I'm not sure we want
>> to just check these credentials into our repository – which means they need
>> to somehow be injected into our VMs to protect the security of the Docker
>> images.
>> If infra decides they don’t want to take on a
>> docker-registry.openstack.org, guidance on how to get our credentials
>> securely into our built VM would be helpful.
>> One final note – Docker can be setup to use Swift as a storage backend, or
>> alternatively can use straight up disk space on the node.  It can also
>> publish to an AWS storage backend and has many other storage backend modes.
>> Regards
>> -steve
>> [1] https://github.com/openstack/kolla/blob/master/tools/setup_RedHat.sh
>> [2] https://github.com/openstack/kolla/blob/master/tools/setup_Debian.sh
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list