Bowlofeggs (talk | contribs) (→Detailed Description: Update the signing section.) |
Bowlofeggs (talk | contribs) |
||
Line 74: | Line 74: | ||
We may revisit signing in the future when there are more available choices for us to use as an added layer of security. | We may revisit signing in the future when there are more available choices for us to use as an added layer of security. | ||
==== General Notes ==== | ==== General Notes ==== | ||
Line 101: | Line 85: | ||
* [1] https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/thread/IMK3IKNMVYMEBV5S7BCYHNSVA2BGSWZ3/ | * [1] https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/thread/IMK3IKNMVYMEBV5S7BCYHNSVA2BGSWZ3/ | ||
* [3] https://github.com/docker/distribution/ | * [3] https://github.com/docker/distribution/ | ||
* [4] https://docs.docker.com/registry/spec/api/ | * [4] https://docs.docker.com/registry/spec/api/ |
Revision as of 22:29, 12 April 2017
Fedora Scale-Out Docker Registry
Summary
This is a proposal for a change to the Fedora Infrastructure and Fedora Release Engineering tooling to provide a scalable container registry solution for Fedora that is integrated with the Fedora Docker Layered Image Build Service.
Owner
- Name: Adam Miller and Randy Barlow
- Email: maxamillion@fedoraproject.org and bowlofeggs@fedoraproject.org
- Release notes owner:
Current status
Detailed Description
Background
The Fedora project wishes to begin distributing new types of content than it has in the past. One of the types that has been identified as a goal are container images. Adam Miller has already done the work that will allow packagers to build container images, but we still need a way to distribute those builds to Fedora's users. Adam Miller's implementation helpfully drops the builds we want into a container registry.
registry: a collection of container image repositories
repository: named after an image and is a collection of multiple tags of an that image
tag: an arbitrary string assigned to a specific container image (identified by the image's sha256 checksum) NOTE: The "latest" tag is special and is assumed if no tag is provided. This is true also for a 'docker pull' operation and an image tagged "latest" will be the default image pulled by users.
Proposal
In summary, the proposal is to deploy the docker distribution registry at registry.fedoraproject.org
, which will serve the container registry API to Fedora's users. Users will fetch all API data from this endpoint, except for the container blobs. Fedora will serve 302 redirects for all requests for container blobs to cdn.registry.fedoraproject.org
. The CDN will handle serving the large blob files to the users.
- Docker Distribution is the defacto standard open source implementation of the Docker Registry V2 API spec.
Workflow
- OSBS will perform Builds, as these builds complete they will be pushed to the docker-distribution (v2) registry, these will be considered "candidate images". These will be stored in candidate repositories on the docker-distribution registry.
- Testing will occur using the "candidate images" (details of how we want to handle that are outside the scope of this proposal).
- A "candidate image" will be marked stable once it's criteria have been satisfied to do so. (This is vague because this is a topic of ongoing discussion and work to decide what criteria an image will need to abide by before being considered "stable" and promoted as such)
- Once stable, the images will be pushed into stable repositories in the docker-distribution registry.
- The docker clients will request Manifests from
registry.fedoraproject.org
. Requests for blobs will receive a302 Redirect
tocdn.registry.fedoraproject.org
which will serve the blob files.
Signing
For the initial implementation of the Fedora Docker registry, we will not be signing the images. This will still be safe for our users, as the manifests will be served by registry.fedoraproject.org
only (the CDN will not be serving manifests or any metadata) and only over TLS. Container manifests reference the blob layers by checksum and the client does verify the checksums of the layers it downloads. Thus we will rely on TLS to safely transmit the checksums of the blobs to the end user, and we will rely on their client to validate the checksums of the blobs it downloads from the CDN.
We may revisit signing in the future when there are more available choices for us to use as an added layer of security.
General Notes
A couple of things to note about maintenance and uptime considerations:
The Intermediate docker-distribution registry is needed for builds in koji+OSBS.
Much of the current design was discussed on the infrastructure mailing list[1].
All new components in this design should be able to be locked down, similar to the "Fedora internal" components like koji (builders, etc) and bodhi (signing, etc).
- [1] https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/thread/IMK3IKNMVYMEBV5S7BCYHNSVA2BGSWZ3/
- [3] https://github.com/docker/distribution/
- [4] https://docs.docker.com/registry/spec/api/
- [5] https://github.com/docker/distribution/issues/1825
- [6] https://github.com/docker/docker/pull/23014
- [7] https://docs.docker.com/registry/spec/manifest-v2-2/#/image-manifest-field-descriptions
- [8] https://github.com/docker/docker/pull/22866
Benefit to Fedora
This will allow for Fedora to provide packages, software, and other content in the form of a Docker Image as an officially released artifact from the Fedora Project that is released and hosted much in the same way RPMs are today. These images can then be included in the distribution in various ways. This could potentially be used by the Modularization effort or by any other part of the Fedora.next initiative that may arise.
Scope
Proposal owners
Proposal owners shall have to:
- Implement the proposed Design of a Scaled-Out Docker Registry
- Build the new Python Tool to pull blobs out of the registry
- Deploy Docker-Distribution Registry
- Integrate with MirrorManager for content distribution
- Document the system
Task matrix
This is a RACI matrix for tasks required to implement the RelEng Automation Workflow Engine. Work is tracked in Taiga: http://taiga.cloud.fedoraproject.org/project/acarter-fedora-docker-atomic-tooling/wiki/home
Is this current?
It is, as of 2017-04-12
Definitions
Here, we're using what Wikipedia calls "RACI (alternative scheme)":
- Responsible
- The person responsible for the performance of the task. There should be exactly one person with this assignment for each task.
- Assists
- Those who assist completion of the task.
- Consulted
- Those whose opinions are sought; and with whom there is two-way communication.
- Informed
- Those who are kept up-to-date on progress; and with whom there is one-way communication.
Task Table
Task | Subtask | Responsible | Assists | Consulted | Informed | Current Status |
---|---|---|---|---|---|---|
Implement the proposed design of a Scaled-Out Docker Registry | Adam Miller | 0% | ||||
Deploy solution, including ansible playbooks added for Fedora Infrastructure Ansible repo | Adam Miller | 0% | ||||
Deploy docker-distribution registry | Adam Miller | 0% | ||||
Integrate with MirrorManager for content distribution | Adam Miller | 0% | ||||
Document the system | Adam Miller | 0% |
Glossary of Nicknames
- maxamillion Adam Miller
- bowlofeggs Randy Barlow
Various Task Notes
Functional Requirements
The following features are functional requirements
- Users must be able to perform a
docker pull registry.fedoraproject.org/fedora
and have the actual image layer data come from a local mirror via mirrormanager.
Other developers
- (anything here)?
Upgrade/compatibility impact
N/A (not a System Wide Change)
How To Test
Once the service is deployed, users can perform the following on their systems to test.
$ dnf -y install docker $ systemctl start docker $ docker pull registry.fedoraproject.org/fedora
N/A (not a System Wide Change)
User Experience
N/A (not a System Wide Change)
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No (not a System Wide Change)
- Blocks product? N/A
Documentation
FIXME