Open Stack

Hi Hongbin

Thanks for starting this thread,

I initial propose this bp because I am in China which is behind China 
great wall and can not have access of gcr.io directly, after checking 
our cloud-init script, I see that

lots of code are *hard coded* to using gcr.io, I personally though this 
is not good idea. We can not force user/customer to have internet access 
in their environment.

I proposed to use insecure-registry to give customer/user (Chinese or 
whom doesn't have gcr.io access) a chance to switch use their own 
insecure-registry to deploy
k8s/swarm bay.

For your question:
 >Is the private registry secure or insecure? If secure, how to handle 
the authentication secrets. If insecure, is it OK to connect a secure 
bay to an insecure registry?
An insecure-resigtry should be 'secure' one, since customer need to 
setup it and make sure it's clear one and in this case, they could be a 
private cloud.

>Should we provide an instruction for users to pre-install the private 
registry? If not, how to verify the correctness of this feature?

The simply way to pre-install private registry is using 
insecure-resigtry and docker.io has very simple steps to start it [1]
for other, docker registry v2 also supports using TLS enable mode but 
this will require to tell docker client key and crt file which will make 
"support-private-registry" complex.

[1] https://docs.docker.com/registry/
[2]https://docs.docker.com/registry/deploying/



On 2016年03月30日 07:23, Hongbin Lu wrote:
>
> Hi team,
>
> This is the item we didn’t have time to discuss in our team meeting, 
> so I started the discussion in here.
>
> Here is the blueprint: 
> https://blueprints.launchpad.net/magnum/+spec/support-private-registry 
> . Per my understanding, the goal of the BP is to allow users to 
> specify the url of their private docker registry where the bays pull 
> the kube/swarm images (if they are not able to access docker hub or 
> other public registry). An assumption is that users need to 
> pre-install their own private registry and upload all the required 
> images to there. There are several potential issues of this proposal:
>
> ·Is the private registry secure or insecure? If secure, how to handle 
> the authentication secrets. If insecure, is it OK to connect a secure 
> bay to an insecure registry?
>
> ·Should we provide an instruction for users to pre-install the private 
> registry? If not, how to verify the correctness of this feature?
>
> Thoughts?
>
> Best regards,
>
> Hongbin
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-- 
Best Regards, Eli Qiao (乔立勇)
Intel OTC China

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160330/f5bdbc00/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: liyong_qiao.vcf
Type: text/x-vcard
Size: 123 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160330/f5bdbc00/attachment.vcf>