Merge "Use /etc/hosts with docker registries to handle ipv6"

This commit is contained in:
Zuul 2019-04-09 16:23:29 +00:00 committed by Gerrit Code Review
commit 2e1c38e89d
6 changed files with 192 additions and 21 deletions

View File

@ -1,12 +1,32 @@
# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
# so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
become: yes
lineinfile:
path: /etc/hosts
state: present
regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset_registry$"
line: "{{ buildset_registry.host }}\tzuul-jobs.buildset_registry"
insertafter: EOF
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using ip
set_fact:
buildset_registry_alias: zuul-jobs.buildset_registry
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using name
set_fact:
buildset_registry_alias: "{{ buildset_registry.host }}"
when: not ( buildset_registry.host | ipaddr )
- name: Tag image for buildset registry
command: >-
docker tag {{ image.repository }}:{{ image_tag }} {{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
docker tag {{ image.repository }}:{{ image_tag }} {{ buildset_registry_alias }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
loop: "{{ image.tags | default(['latest']) }}"
loop_control:
loop_var: image_tag
- name: Push tag to buildset registry
command: >-
docker push {{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
docker push {{ buildset_registry_alias }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
loop: "{{ image.tags | default(['latest']) }}"
loop_control:
loop_var: image_tag

View File

@ -1,3 +1,40 @@
# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
# so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
become: yes
lineinfile:
path: /etc/hosts
state: present
regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset_registry$"
line: "{{ buildset_registry.host }}\tzuul-jobs.buildset_registry"
insertafter: EOF
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using ip
set_fact:
buildset_registry_alias: zuul-jobs.buildset_registry
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using name
set_fact:
buildset_registry_alias: "{{ buildset_registry.host }}"
when: not ( buildset_registry.host | ipaddr )
- name: Configure /etc/hosts for intermediate_registry to workaround docker not understanding ipv6 addresses
become: yes
lineinfile:
path: /etc/hosts
state: present
regex: "^{{ intermediate_registry.host }}\tzuul-jobs.intermediate_registry$"
line: "{{ intermediate_registry.host }}\tzuul-jobs.intermediate_registry"
insertafter: EOF
when: intermediate_registry.host | ipaddr
- name: Set intermediate_registry alias variable when using ip
set_fact:
intermediate_registry_alias: zuul-jobs.intermediate_registry
when: intermediate_registry.host | ipaddr
- name: Set intermediate_registry alias variable when using name
set_fact:
intermediate_registry_alias: "{{ intermediate_registry.host }}"
when: not ( intermediate_registry.host | ipaddr )
# This can be removed if we add this functionality to Zuul directly
- name: Load information from zuul_return
when: buildset_registry is not defined
@ -5,12 +42,12 @@
buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
- name: Ensure registry cert directory exists
file:
path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/"
path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/"
state: directory
- name: Write registry TLS certificate
copy:
content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/ca.crt"
dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt"
# Update user config for intermediate and buildset registries
@ -42,9 +79,9 @@
new_config:
auths: |
{
"{{ intermediate_registry.host | ipwrap }}:{{ intermediate_registry.port }}":
"{{ intermediate_registry_alias }}:{{ intermediate_registry.port }}":
{"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"},
"{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}":
"{{ buildset_registry_alias }}:{{ buildset_registry.port }}":
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
}
set_fact:
@ -62,7 +99,7 @@
command: >-
skopeo --insecure-policy copy
{{ item.url }}
docker://{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/{{ item.metadata.repository }}:{{ item.metadata.tag }}
docker://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/{{ item.metadata.repository }}:{{ item.metadata.tag }}
when: "'metadata' in item and item.metadata.type | default('') == 'container_image'"
loop: "{{ zuul.artifacts | default([]) }}"
always:

View File

@ -1,8 +1,45 @@
# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
# so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
become: yes
lineinfile:
path: /etc/hosts
state: present
regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset_registry$"
line: "{{ buildset_registry.host }}\tzuul-jobs.buildset_registry"
insertafter: EOF
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using ip
set_fact:
buildset_registry_alias: zuul-jobs.buildset_registry
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using name
set_fact:
buildset_registry_alias: "{{ buildset_registry.host }}"
when: not ( buildset_registry.host | ipaddr )
- name: Configure /etc/hosts for intermediate_registry to workaround docker not understanding ipv6 addresses
become: yes
lineinfile:
path: /etc/hosts
state: present
regex: "^{{ intermediate_registry.host }}\tzuul-jobs.intermediate_registry$"
line: "{{ intermediate_registry.host }}\tzuul-jobs.intermediate_registry"
insertafter: EOF
when: intermediate_registry.host | ipaddr
- name: Set intermediate_registry alias variable when using ip
set_fact:
intermediate_registry_alias: zuul-jobs.intermediate_registry
when: intermediate_registry.host | ipaddr
- name: Set intermediate_registry alias variable when using name
set_fact:
intermediate_registry_alias: "{{ intermediate_registry.host }}"
when: not ( intermediate_registry.host | ipaddr )
- name: Push tag to intermediate registry
command: >-
skopeo --insecure-policy copy
docker://{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
docker://{{ intermediate_registry.host | ipwrap }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }}
docker://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
docker://{{ intermediate_registry_alias }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }}
loop: "{{ image.tags | default(['latest']) }}"
loop_control:
loop_var: image_tag
@ -13,7 +50,7 @@
zuul:
artifacts:
- name: "image_{{ image.repository }}:{{ image_tag }}"
url: "docker://{{ intermediate_registry.host | ipwrap }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag}}"
url: "docker://{{ intermediate_registry_alias }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag}}"
metadata:
type: container_image
repository: "{{ image.repository }}"

View File

@ -1,3 +1,40 @@
# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
# so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
become: yes
lineinfile:
path: /etc/hosts
state: present
regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset_registry$"
line: "{{ buildset_registry.host }}\tzuul-jobs.buildset_registry"
insertafter: EOF
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using ip
set_fact:
buildset_registry_alias: zuul-jobs.buildset_registry
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using name
set_fact:
buildset_registry_alias: "{{ buildset_registry.host }}"
when: not ( buildset_registry.host | ipaddr )
- name: Configure /etc/hosts for intermediate_registry to workaround docker not understanding ipv6 addresses
become: yes
lineinfile:
path: /etc/hosts
state: present
regex: "^{{ intermediate_registry.host }}\tzuul-jobs.intermediate_registry$"
line: "{{ intermediate_registry.host }}\tzuul-jobs.intermediate_registry"
insertafter: EOF
when: intermediate_registry.host | ipaddr
- name: Set intermediate_registry alias variable when using ip
set_fact:
intermediate_registry_alias: zuul-jobs.intermediate_registry
when: intermediate_registry.host | ipaddr
- name: Set intermediate_registry alias variable when using name
set_fact:
intermediate_registry_alias: "{{ intermediate_registry.host }}"
when: not ( intermediate_registry.host | ipaddr )
# This can be removed if we add this functionality to Zuul directly
- name: Load information from zuul_return
when: buildset_registry is not defined
@ -5,12 +42,12 @@
buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
- name: Ensure registry cert directory exists
file:
path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/"
path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/"
state: directory
- name: Write registry TLS certificate
copy:
content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/ca.crt"
dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt"
# Update user config for intermediate and buildset registries
- name: Ensure docker user directory exists
@ -41,9 +78,9 @@
new_config:
auths: |
{
"{{ intermediate_registry.host | ipwrap }}:{{ intermediate_registry.port }}":
"{{ intermediate_registry_alias }}:{{ intermediate_registry.port }}":
{"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"},
"{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}":
"{{ buildset_registry_alias }}:{{ buildset_registry.port }}":
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
}
set_fact:

View File

@ -1,3 +1,23 @@
# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
# so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
become: yes
lineinfile:
path: /etc/hosts
state: present
regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset_registry$"
line: "{{ buildset_registry.host }}\tzuul-jobs.buildset_registry"
insertafter: EOF
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using ip
set_fact:
buildset_registry_alias: zuul-jobs.buildset_registry
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using name
set_fact:
buildset_registry_alias: "{{ buildset_registry.host }}"
when: not ( buildset_registry.host | ipaddr )
- name: Ensure docker directory exists
become: yes
file:
@ -6,23 +26,23 @@
- name: Ensure buildset registry cert directory exists
become: true
file:
path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/"
path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/"
state: directory
- name: Ensure proxy registry cert directory exists
become: true
file:
path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port }}/"
path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/"
state: directory
- name: Write buildset registry TLS certificate
become: true
copy:
content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/ca.crt"
dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt"
- name: Write proxy registry TLS certificate
become: true
copy:
content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port }}/ca.crt"
dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/ca.crt"
# Update daemon config
- name: Check if docker daemon configuration exists
@ -46,7 +66,7 @@
- name: Add registry to docker daemon configuration
vars:
new_config:
registry-mirrors: "['https://{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port}}/', 'https://{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port}}/']"
registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port}}/', 'https://{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port}}/']"
set_fact:
docker_config: "{{ docker_config | combine(new_config) }}"
- name: Save docker daemon configuration

View File

@ -1,3 +1,23 @@
# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
# so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
become: yes
lineinfile:
path: /etc/hosts
state: present
regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset_registry$"
line: "{{ buildset_registry.host }}\tzuul-jobs.buildset_registry"
insertafter: EOF
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using ip
set_fact:
buildset_registry_alias: zuul-jobs.buildset_registry
when: buildset_registry.host | ipaddr
- name: Set buildset_registry alias variable when using name
set_fact:
buildset_registry_alias: "{{ buildset_registry.host }}"
when: not ( buildset_registry.host | ipaddr )
# Update user config
- name: Ensure docker user directory exists
file:
@ -29,9 +49,9 @@
{
"https://index.docker.io/v1/":
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
"{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}":
"{{ buildset_registry_alias }}:{{ buildset_registry.port }}":
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
"{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.proxy_port }}":
"{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}":
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}
}
set_fact: