Adding spec for local Docker registry
As part of containerization, adding the local Docker registry spec Task: 27498 Story: 2002840 Change-Id: I9a59a1ec1f9a40d0da3d79597026216637c43376 Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
This commit is contained in:
parent
f7c04656d8
commit
95c3c496d6
|
@ -0,0 +1,163 @@
|
||||||
|
.. This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||||
|
License.
|
||||||
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||||
|
|
||||||
|
=====================
|
||||||
|
Local Docker Registry
|
||||||
|
=====================
|
||||||
|
|
||||||
|
Storyboard: https://storyboard.openstack.org/#!/story/2002840
|
||||||
|
|
||||||
|
A local Docker registry should be included in a StarlingX containerized
|
||||||
|
deployment to allow users to store Docker images that they might not want
|
||||||
|
to share publicly through Docker Hub.
|
||||||
|
|
||||||
|
Problem Description
|
||||||
|
===================
|
||||||
|
|
||||||
|
Without the local Docker registry, the only way to obtain Docker images is
|
||||||
|
through public means, such as Docker Hub. Users of StarlingX might have images
|
||||||
|
that they do not want to publicly share. Docker Hub might also not meet the
|
||||||
|
users' performance requirements. Deploying a local Docker registry allows the
|
||||||
|
user to deploy custom images without uploading it to Docker Hub first.
|
||||||
|
|
||||||
|
Use Cases
|
||||||
|
=========
|
||||||
|
|
||||||
|
End users and StarlingX administrators can push and deploy images from the
|
||||||
|
local registry without publicly sharing them on Docker Hub.
|
||||||
|
|
||||||
|
Proposed change
|
||||||
|
===============
|
||||||
|
|
||||||
|
An instance of the Docker Distribution project would be integrated on
|
||||||
|
StarlingX:
|
||||||
|
https://github.com/docker/distribution
|
||||||
|
|
||||||
|
Docker Distribution (Docker Registry) shall be deployed in StarlingX, managed
|
||||||
|
by STX-HA's SM in active standby mode. The registry process shall be running
|
||||||
|
as a host process as opposed to a container. Docker Distribution shall use a
|
||||||
|
resizable DRBD synced file system as its root directory.
|
||||||
|
|
||||||
|
The registry will be deployed with token authentication. A token server shall
|
||||||
|
be deployed as well, and managed by SM, running in active standby mode. The
|
||||||
|
token server will use Openstack Keystone as a back end, and allow users to log
|
||||||
|
in using their Openstack credentials to work with Docker images in the
|
||||||
|
registry. The token server shall provide minimal authorization support where
|
||||||
|
users shall only be allowed to modify resources belonging to their own repo.
|
||||||
|
For example, user1 shall not be allowed to push user2/testimage:v1.0.
|
||||||
|
|
||||||
|
Alternatives
|
||||||
|
============
|
||||||
|
|
||||||
|
Docker registry shall be deployed as a host process as opposed to a container.
|
||||||
|
This allows the registry to hold kube-system container images for starting up
|
||||||
|
Kubernetes itself in the future if needed.
|
||||||
|
|
||||||
|
Data model impact
|
||||||
|
=================
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
REST API impact
|
||||||
|
===============
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Security impact
|
||||||
|
===============
|
||||||
|
|
||||||
|
Docker registry shall run on port 9001 while the registry token server shall
|
||||||
|
run on port 9002. Authentication and authorization are done through Keystone,
|
||||||
|
so no credentials need to be stored on the Docker registry or token server
|
||||||
|
side. Communications between the registry, Docker client, and registry token
|
||||||
|
server will be through HTTPS by default, using the system self-signed
|
||||||
|
certificate by default. All communication is done over the management network.
|
||||||
|
|
||||||
|
Other end user impact
|
||||||
|
=====================
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Performance Impact
|
||||||
|
==================
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Other deployer impact
|
||||||
|
=====================
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Developer impact
|
||||||
|
=================
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Upgrade impact
|
||||||
|
===============
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Implementation
|
||||||
|
==============
|
||||||
|
|
||||||
|
Assignee(s)
|
||||||
|
===========
|
||||||
|
|
||||||
|
Primary assignee:
|
||||||
|
jerry-sun-u
|
||||||
|
|
||||||
|
Repos Impacted
|
||||||
|
==============
|
||||||
|
|
||||||
|
* stx-integ
|
||||||
|
* stx-config
|
||||||
|
* stx-ha
|
||||||
|
|
||||||
|
Work Items
|
||||||
|
===========
|
||||||
|
|
||||||
|
Build, configure, and manage through STX-HA's SM, the Docker registry process.
|
||||||
|
Build, configure, and manage through SM, a token server that can communicate
|
||||||
|
with Openstack Keystone and can act as an authentication and authorization
|
||||||
|
service for the Docker registry.
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
============
|
||||||
|
|
||||||
|
Docker Distribution and its dependencies
|
||||||
|
SM from stx-ha
|
||||||
|
|
||||||
|
Testing
|
||||||
|
=======
|
||||||
|
|
||||||
|
Docker Distribution comes with its own unit tests. The token server can be
|
||||||
|
tested by doing a deployment on StarlingX. Specifically, ensure that one
|
||||||
|
user cannot delete images from another user.
|
||||||
|
|
||||||
|
For now, Docker registry and token server processes should be run only if
|
||||||
|
kubernetes is configured during config controller.
|
||||||
|
|
||||||
|
Documentation Impact
|
||||||
|
====================
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
History
|
||||||
|
=======
|
||||||
|
|
||||||
|
.. list-table:: Revisions
|
||||||
|
:header-rows: 1
|
||||||
|
|
||||||
|
* - Release Name
|
||||||
|
- Description
|
||||||
|
* - 2019.03
|
||||||
|
- Introduced
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue