From Fedora Project Wiki
(Benefit to Fedora)
(Task Table: Update the task table.)
 
(49 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{admon/warning|DRAFT|This page is only a draft and is still under construction.}}
 
  
 
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
 
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
  
 
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
 
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
= Change Proposal Name <!-- The name of your change proposal --> =
+
= Fedora Scale-Out Docker Registry <!-- The name of your change proposal --> =
  
 
== Summary ==
 
== Summary ==
This is a proposal for a change to the Fedora Infrastructure and Fedora Release Engineering tooling to provide a scalable Docker Registry solution for Fedora that is integrated with the [[Changes/Layered_Docker_Image_Build_Service|Fedoar Docker Layered Image Build Service]].
+
This is a proposal for a change to the Fedora Infrastructure and Fedora Release Engineering tooling to provide a scalable container registry solution for Fedora that is integrated with the [[Changes/Layered_Docker_Image_Build_Service|Fedora Docker Layered Image Build Service]].
  
 
== Owner ==
 
== Owner ==
Line 15: Line 13:
 
This should link to your home wiki page so we know who you are.  
 
This should link to your home wiki page so we know who you are.  
 
-->
 
-->
* Name: [[User:Maxamillion| Adam Miller]]
+
* Name: [[User:Maxamillion| Adam Miller]] and [[User:Bowlofeggs| Randy Barlow]]
 
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
 
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
* Email: maxamillion@fedoraproject.org
+
* Email: maxamillion@fedoraproject.org and bowlofeggs@fedoraproject.org
 
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
 
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
 
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
 
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
Line 28: Line 26:
  
 
== Current status ==
 
== Current status ==
* Targeted release: [[Releases/<number> | Fedora <number> ]]  
+
* Targeted release: [[Releases/26 | Fedora 26 ]]  
 
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
 
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
 
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
 
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 38: Line 36:
 
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 
-->
 
-->
* Tracker bug: <will be assigned by the Wrangler>
+
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1345756 #1345756]
  
 
== Detailed Description ==
 
== Detailed Description ==
  
<pre>
+
=== Background ===
  +-----------+              +------------------------+
 
  |  koji    |<--------------+ fedpkg container build |
 
  +--+--------+              +------------------------+
 
      |  ^
 
      v  |
 
  +------+----+
 
  |          |          +----------------------+
 
  |  OSBS    |          | docker/distribution  |
 
  |          +--------->| registry            +-+
 
  +-----------+          |                      | |
 
                          | (candidate builds)  | |
 
                          +----------------------+ +
 
                                                  |
 
                                                  |
 
          +-----------------+                    |
 
          |                +<--------------------+
 
          |      Pulp      |
 
          |                +------------+
 
          +----+------------+            |
 
                |                        |
 
                v                        |
 
+-------------------------+              v
 
| +--------+ +--------+  |      +-----------------------+
 
| |  Crane | |  Crane |  |      | Pulp Published Stable |
 
| +------+-+ +--+-----+  |      | Image Layeres and    |
 
|    ^  |      |  ^    |      | Metadata              |
 
|    |  |      |  |    |      +--------+--------------+
 
|    |  |      |  |    |              |
 
|    |  |      |  |    |              |
 
|    |  |      |  |    |              |
 
|    |  v      v  |    |              v
 
| +--+--------------+-+  |    +--------------------+
 
| | Fedora Infra      |  |    | Mirror Manager    |
 
| | HAProxy          |  |    | master mirror      |
 
| +-------------------+  |    +-----------------+--+
 
+---------+---------------+                      |
 
    ^    |                                      |
 
    |    |                                      |
 
    |    |                                      |
 
    |    |                                      v
 
    |    |                            +-----------------------------+
 
    |    |                            |                            |
 
    |    |  +------------------------>| "Mirror Network"            |
 
    |    |  |                        | (All our volunteer mirrors) |
 
    |    |  |  +---------------------+                            |
 
    |    |  |  |                    +-----------------------------+
 
    |    |  |  |
 
    |    |  |  |
 
    |    |  |  |
 
    |    |  |  |
 
    |    |  |  |
 
    |    v  |  v
 
  +--+--------+-----+
 
  | Users          |
 
  | (docker pull)  |
 
  +-----------------+
 
</pre>
 
https://maxamillion.fedorapeople.org/FedoraPulpDocker.txt
 
  
=== Background ===
+
The Fedora project wishes to begin distributing new types of content
 +
than it has in the past. One of the types that has been identified as a
 +
goal are container images. Adam Miller has already done the work that
 +
will allow packagers to build container images, but we still need a way to
 +
distribute those builds to Fedora's users. Adam Miller's implementation
 +
helpfully drops the builds we want into a container registry.
  
'''registry''': a collection of docker image repositories
+
'''registry''': a collection of container image repositories
  
 
'''repository''': named after an image and is a collection of multiple tags of an that image
 
'''repository''': named after an image and is a collection of multiple tags of an that image
  
'''tag''': an arbitrary string assigned to a specific docker image (identified by the image's sha256 checksum) NOTE: The "latest" tag is special and is assumed if no tag is provided. This is true also for a 'docker pull' operation and an image tagged "latest" will be the default image pulled by users.
+
'''tag''': an arbitrary string assigned to a specific container image (identified by the image's sha256 checksum) NOTE: The "latest" tag is special and is assumed if no tag is provided. This is true also for a 'docker pull' operation and an image tagged "latest" will be the default image pulled by users.
  
 
=== Proposal ===
 
=== Proposal ===
  
Pulp[0] + Crane[1] + MirrorManager[2] + Docker Distribution[3]
+
In summary, the proposal is to deploy the docker distribution registry at <code>registry.fedoraproject.org</code>, which will serve the container registry API to Fedora's users. Users will fetch all API data from this endpoint, except for the container blobs. Fedora will serve 302 redirects for all requests for container blobs to <code>cdn.registry.fedoraproject.org</code>. The CDN will handle serving the large blob files to the users.
  
* Pulp is a platform for managing repositories of content, such as software packages, and making it available to a large numbers of consumers. It is also capable of managing docker content.
+
* Docker Distribution is the defacto standard open source implementation of the Docker Registry V2 API spec.
 
 
* Crane is a stand-alone python flask wsgi application written by the Pulp team to serve as a API entry point for the docker client and will answer to an user's 'docker pull'. It does not however create content manifests or provide hosting for docker image content, instead it depends on someone creating the manifest metadata themselves or having pulp publish it and serves 302 redirects to the docker client so they can find where the docker images actually live.
 
 
 
* MirrorManager is what Fedora uses to manage the public mirror network and distribute content.
 
 
 
* Docker Distribution is the defacto standard open source implementation of the Docker Registry V2 API spec[5]. It provides many features but the ability to have it's back-end storage be provided by a "mirror network" much like the one Fedora has at it's disposal is not one of them. The reason we need this in place is because the mechanism by which you could push a docker image directly to Pulp in Docker Registry v1 no longer exists in v2 so we must instead perform a "sync" operation between the two. (This is a common problem for all known "third party" v2 registry implementations).
 
  
 
=== Workflow ===
 
=== Workflow ===
  
* OSBS will perform Builds, as these builds complete they will be pushed to the docker-distribution (v2) registry, these will be considered "candidate images". Pulp will sync and publish the candidate repository.
+
* OSBS will perform Builds, as these builds complete they will be pushed to the docker-distribution (v2) registry, these will be considered "candidate images". These will be stored in candidate repositories on the docker-distribution registry.
 
* Testing will occur using the "candidate images" (details of how we want to handle that are outside the scope of this proposal).
 
* Testing will occur using the "candidate images" (details of how we want to handle that are outside the scope of this proposal).
 
* A "candidate image" will be marked stable once it's criteria have been satisfied to do so. (This is vague because this is a topic of ongoing discussion and work to decide what criteria an image will need to abide by before being considered "stable" and promoted as such)
 
* A "candidate image" will be marked stable once it's criteria have been satisfied to do so. (This is vague because this is a topic of ongoing discussion and work to decide what criteria an image will need to abide by before being considered "stable" and promoted as such)
* Once stable, pulp will publish that repository's content to a directory, we will split that content and sync the image layers along with their metadata to Mirror Manager master mirror. We will also sync the repo metadata published by Pulp to somewhere Crane can pick it up. (This could and will likely be something that Bodhi triggers via the Pulp REST API)
+
* Once stable, the images will be pushed into stable repositories in the docker-distribution registry.
* Mirror Manager will distribute to the mirrors the image layers and their metadata.
+
* The docker clients will request Manifests from <code>registry.fedoraproject.org</code>. Requests for blobs will receive a <code>302 Redirect</code> to <code>cdn.registry.fedoraproject.org</code> which will serve the blob files.
* Crane will get the new repository metadata and will serve redirects to the new content relative to download.fedoraproject.org which will perform another redirect (via MirrorManager) where the docker client upon a "docker pull" will find it's content.
 
  
 +
=== Signing ===
  
=== Technical Details ===
+
For the initial implementation of the Fedora Docker registry, we will not be signing the images. This will still be safe for our users, as the manifests will be served by <code>registry.fedoraproject.org</code> only (the CDN will not be serving manifests or any metadata) and only over TLS. Container manifests reference the blob layers by checksum and the client does verify the checksums of the layers it downloads. Thus we will rely on TLS to safely transmit the checksums of the blobs to the end user, and we will rely on their client to validate the checksums of the blobs it downloads from the CDN.
Some more in depth technical items around this solution that I think the Fedora Infrastructure Team are likely interested in:
 
  
==== Pulp Requirements ====
+
We may revisit signing in the future when there are more available choices for us to use as an added layer of security.
* An AMPQ message queue, currently qpid and rabbitmq are supported upstream. However, the requirement appears to stem from the use of Celery[5] and Celery upstream supports redis[6] as a broker backend so I have requested that it be made available as supported option Pulp[7]. This will obviously take some amount of dev time, but we can plan for that if adding a message queue to Fedora Infra is a show stopper.
 
* MongoDB, this is currently a hard requirement but postgresql is planned replace MongoDB in the future[8] (probably a year-ish timeline on that). The question is, can we wait that long from a Fedora Project standpoint for the new feature before having a solution in place? I imagine some of this will need to be planned/scoped as time goes on and we learn more but it's worth keeping in mind
 
* Storage. I've been told Pulp likes a lot of storage, I don't know hard numbers for what we'd need since we're getting into uncharted territory but I've heard that a few hundred GB is not uncommon in pulp deployments when combining the MongoDB storage needs with all the artifacts in the repos.
 
 
 
==== Crane Requirements ====
 
* Crane is just a small python wsgi app written in flask
 
  
 
==== General Notes ====
 
==== General Notes ====
 
A couple of things to note about maintenance and uptime considerations:
 
A couple of things to note about maintenance and uptime considerations:
  
The Intermediate docker-distribution registry is needed for builds in koji+OSBS
+
The Intermediate docker-distribution registry is needed for builds in koji+OSBS.
  
Pulp will be required for "promotion" of builds from candidate to testing or stable
+
Much of the current design was discussed on the infrastructure mailing list[1].
  
Crane will be required for end users out in the world to access in order to actually pull down Docker images from us.
+
All new components in this design should be able to be locked down, similar to the "Fedora internal" components like koji (builders, etc) and bodhi (signing, etc).
  
The only service here that needs to be public end-user facing (i.e. wide open to the internet and not have access locked to a FAS group) is Crane. All other components should be able to be locked down similar to the "Fedora internal" components koji (builders, etc), bodhi (signing, etc) and similar.
+
* [1] https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/thread/IMK3IKNMVYMEBV5S7BCYHNSVA2BGSWZ3/
 
 
* [0] http://www.pulpproject.org/
 
* [1] https://github.com/pulp/crane
 
* [2] https://github.com/fedora-infra/mirrormanager2/
 
 
* [3] https://github.com/docker/distribution/
 
* [3] https://github.com/docker/distribution/
 
* [4] https://docs.docker.com/registry/spec/api/
 
* [4] https://docs.docker.com/registry/spec/api/
* [5] http://www.celeryproject.org/
+
* [5] https://github.com/docker/distribution/issues/1825
* [6] http://redis.io/
+
* [6] https://github.com/docker/docker/pull/23014
* [7] https://pulp.plan.io/issues/1900
+
* [7] https://docs.docker.com/registry/spec/manifest-v2-2/#/image-manifest-field-descriptions
* [8] https://pulp.plan.io/issues/1803
+
* [8] https://github.com/docker/docker/pull/22866
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
This will allow for Fedora to provide packages, software, and other content in the form of a Docker Image as an officially released artifact from the Fedora Project that is released and hosted much in the same way RPMs are today. These images can then be included in the distribution in various ways. This could potentially be used by the [[Modularization]] effort or by any other part of the [[Fedora.next]] initiative that may arise.
+
This will allow for Fedora to provide packages, software, and other content in the form of container images as officially released artifacts from the Fedora Project that are released much in the same way RPMs are today. These images can then be included in the distribution in various ways. This could potentially be used by the [[Modularization]] effort or by any other part of the [[Fedora.next]] initiative that may arise.
  
 
== Scope ==
 
== Scope ==
* Proposal owners:
+
=== Proposal owners ===
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
+
 
 +
Proposal owners shall have to:
 +
* Implement the proposed Design of a Scaled-Out Docker Registry
 +
* Deploy Docker-Distribution Registry
 +
* Document the system
 +
 
 +
=== Task matrix ===
 +
 
 +
This is a [https://en.wikipedia.org/wiki/Responsibility_assignment_matrix RACI matrix] for tasks required to implement the [[Changes/ReleaseEngineeringAutomationWorkflowEngine|RelEng Automation Workflow Engine]]. Work is tracked in Taiga: http://taiga.cloud.fedoraproject.org/project/acarter-fedora-docker-atomic-tooling/wiki/home
 +
 
 +
 
 +
==== Is this current? ====
 +
 
 +
It is, as of <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}
 +
 
 +
==== Definitions ====
 +
 
 +
Here, we're using what Wikipedia calls "[https://en.wikipedia.org/wiki/Responsibility_assignment_matrix#RACI_.28alternative_scheme.29 RACI (alternative scheme)]":
  
* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
  
* Release engineering: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
:; ''Responsible''
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.
+
:: The person responsible for the performance of the task. There should be exactly one person with this assignment for each task.
Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook.-->
 
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
 
  
* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
:; ''Assists''
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
+
:: Those who assist completion of the task.
  
* Trademark approval: N/A (not needed for this Change)
+
:; ''Consulted''
<!-- If your Change may require trademark approval (for example, if it is a new Spin), file a ticket ( https://fedorahosted.org/council/ ) requesting trademark approval from the Fedora Council. This approval will be done via the Council's consensus-based process. -->
+
:: Those whose opinions are sought; and with whom there is two-way communication.
 +
 
 +
:; ''Informed''
 +
:: Those who are kept up-to-date on progress; and with whom there is one-way communication.
 +
 
 +
==== Task Table ====
 +
{{admon/note|This an early cut. Please feel free to add new tasks as appropriate — just let one of the coordinators know.}}
 +
 
 +
{|
 +
! scope="col"| Task
 +
! scope="col"| Subtask
 +
! scope="col"| Responsible
 +
! scope="col"| Assists
 +
! scope="col"| Consulted
 +
! scope="col"| Informed
 +
! scope="col"| Current Status
 +
|-
 +
| <!-- task      --> Implement the proposed design of a Scaled-Out Docker Registry
 +
| <!-- subtask    -->
 +
| <!-- responsible--> [[User:Maxamillion| Adam Miller]]
 +
| <!-- assists    -->
 +
| <!-- consulted  -->
 +
| <!-- informed  -->
 +
| <!-- status    -->0%
 +
|-
 +
| <!-- task      -->
 +
| <!-- subtask    --> Deploy solution, including ansible playbooks added for Fedora Infrastructure Ansible repo
 +
| <!-- responsible--> [[User:Maxamillion| Adam Miller]]
 +
| <!-- assists    -->
 +
| <!-- consulted  -->
 +
| <!-- informed  -->
 +
| <!-- status    -->0%
 +
|-
 +
| <!-- task      -->
 +
| <!-- subtask    --> Deploy docker-distribution registry
 +
| <!-- responsible--> [[User:Maxamillion| Adam Miller]]
 +
| <!-- assists    -->
 +
| <!-- consulted  -->
 +
| <!-- informed  -->
 +
| <!-- status    -->0%
 +
|-
 +
| <!-- task      --> Document the system
 +
| <!-- subtask    -->
 +
| <!-- responsible--> [[User:Maxamillion| Adam Miller]]
 +
| <!-- assists    -->
 +
| <!-- consulted  -->
 +
| <!-- informed  -->
 +
| <!-- status    -->0%
 +
|-
 +
|}
 +
 
 +
==== Glossary of Nicknames ====
 +
 
 +
* maxamillion [[User:Maxamillion| Adam Miller]]
 +
* bowlofeggs [[User:Bowlofeggs | Randy Barlow]]
 +
 
 +
==== Various Task Notes ====
 +
 
 +
=== Functional Requirements ===
 +
 
 +
The following features are functional requirements
 +
 
 +
* Users must be able to perform a <pre>docker pull registry.fedoraproject.org/fedora</pre> and have the actual image layer data come from a local mirror via mirrormanager.
 +
 
 +
=== Other developers ===
 +
* (anything here)?
  
 
== Upgrade/compatibility impact ==
 
== Upgrade/compatibility impact ==
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
 
  
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
 
N/A (not a System Wide Change)  
 
N/A (not a System Wide Change)  
  
Line 207: Line 210:
 
-->
 
-->
  
 +
Once the service is deployed, users can perform the following on their systems to test.
 +
<pre>
 +
$ dnf -y install docker
 +
$ systemctl start docker
 +
$ docker pull registry.fedoraproject.org/fedora
 +
</pre>
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
N/A (not a System Wide Change)  
 
N/A (not a System Wide Change)  
Line 228: Line 237:
 
* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
 
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Blocks release? No (not a System Wide Change)
* Blocks product? product <!-- Applicable for Changes that blocks specific product release/Fedora.next -->
+
* Blocks product? N/A <!-- Applicable for Changes that blocks specific product release/Fedora.next -->
  
 
== Documentation ==
 
== Documentation ==
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
+
FIXME
 
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
N/A (not a System Wide Change)
 
  
 
== Release Notes ==
 
== Release Notes ==
Line 252: Line 258:
 
<!-- Select proper category, default is Self Contained Change -->
 
<!-- Select proper category, default is Self Contained Change -->
 
[[Category:SelfContainedChange]]
 
[[Category:SelfContainedChange]]
<!-- [[Category:SystemWideChange]] -->
 

Latest revision as of 22:31, 12 April 2017


Fedora Scale-Out Docker Registry

Summary

This is a proposal for a change to the Fedora Infrastructure and Fedora Release Engineering tooling to provide a scalable container registry solution for Fedora that is integrated with the Fedora Docker Layered Image Build Service.

Owner

  • Name: Adam Miller and Randy Barlow
  • Email: maxamillion@fedoraproject.org and bowlofeggs@fedoraproject.org
  • Release notes owner:

Current status

Detailed Description

Background

The Fedora project wishes to begin distributing new types of content than it has in the past. One of the types that has been identified as a goal are container images. Adam Miller has already done the work that will allow packagers to build container images, but we still need a way to distribute those builds to Fedora's users. Adam Miller's implementation helpfully drops the builds we want into a container registry.

registry: a collection of container image repositories

repository: named after an image and is a collection of multiple tags of an that image

tag: an arbitrary string assigned to a specific container image (identified by the image's sha256 checksum) NOTE: The "latest" tag is special and is assumed if no tag is provided. This is true also for a 'docker pull' operation and an image tagged "latest" will be the default image pulled by users.

Proposal

In summary, the proposal is to deploy the docker distribution registry at registry.fedoraproject.org, which will serve the container registry API to Fedora's users. Users will fetch all API data from this endpoint, except for the container blobs. Fedora will serve 302 redirects for all requests for container blobs to cdn.registry.fedoraproject.org. The CDN will handle serving the large blob files to the users.

  • Docker Distribution is the defacto standard open source implementation of the Docker Registry V2 API spec.

Workflow

  • OSBS will perform Builds, as these builds complete they will be pushed to the docker-distribution (v2) registry, these will be considered "candidate images". These will be stored in candidate repositories on the docker-distribution registry.
  • Testing will occur using the "candidate images" (details of how we want to handle that are outside the scope of this proposal).
  • A "candidate image" will be marked stable once it's criteria have been satisfied to do so. (This is vague because this is a topic of ongoing discussion and work to decide what criteria an image will need to abide by before being considered "stable" and promoted as such)
  • Once stable, the images will be pushed into stable repositories in the docker-distribution registry.
  • The docker clients will request Manifests from registry.fedoraproject.org. Requests for blobs will receive a 302 Redirect to cdn.registry.fedoraproject.org which will serve the blob files.

Signing

For the initial implementation of the Fedora Docker registry, we will not be signing the images. This will still be safe for our users, as the manifests will be served by registry.fedoraproject.org only (the CDN will not be serving manifests or any metadata) and only over TLS. Container manifests reference the blob layers by checksum and the client does verify the checksums of the layers it downloads. Thus we will rely on TLS to safely transmit the checksums of the blobs to the end user, and we will rely on their client to validate the checksums of the blobs it downloads from the CDN.

We may revisit signing in the future when there are more available choices for us to use as an added layer of security.

General Notes

A couple of things to note about maintenance and uptime considerations:

The Intermediate docker-distribution registry is needed for builds in koji+OSBS.

Much of the current design was discussed on the infrastructure mailing list[1].

All new components in this design should be able to be locked down, similar to the "Fedora internal" components like koji (builders, etc) and bodhi (signing, etc).

Benefit to Fedora

This will allow for Fedora to provide packages, software, and other content in the form of container images as officially released artifacts from the Fedora Project that are released much in the same way RPMs are today. These images can then be included in the distribution in various ways. This could potentially be used by the Modularization effort or by any other part of the Fedora.next initiative that may arise.

Scope

Proposal owners

Proposal owners shall have to:

  • Implement the proposed Design of a Scaled-Out Docker Registry
  • Deploy Docker-Distribution Registry
  • Document the system

Task matrix

This is a RACI matrix for tasks required to implement the RelEng Automation Workflow Engine. Work is tracked in Taiga: http://taiga.cloud.fedoraproject.org/project/acarter-fedora-docker-atomic-tooling/wiki/home


Is this current?

It is, as of 2017-04-12

Definitions

Here, we're using what Wikipedia calls "RACI (alternative scheme)":


Responsible
The person responsible for the performance of the task. There should be exactly one person with this assignment for each task.
Assists
Those who assist completion of the task.
Consulted
Those whose opinions are sought; and with whom there is two-way communication.
Informed
Those who are kept up-to-date on progress; and with whom there is one-way communication.

Task Table

Note.png
This an early cut. Please feel free to add new tasks as appropriate — just let one of the coordinators know.
Task Subtask Responsible Assists Consulted Informed Current Status
Implement the proposed design of a Scaled-Out Docker Registry Adam Miller 0%
Deploy solution, including ansible playbooks added for Fedora Infrastructure Ansible repo Adam Miller 0%
Deploy docker-distribution registry Adam Miller 0%
Document the system Adam Miller 0%

Glossary of Nicknames

Various Task Notes

Functional Requirements

The following features are functional requirements

  • Users must be able to perform a
    docker pull registry.fedoraproject.org/fedora
    and have the actual image layer data come from a local mirror via mirrormanager.

Other developers

  • (anything here)?

Upgrade/compatibility impact

N/A (not a System Wide Change)

How To Test

Once the service is deployed, users can perform the following on their systems to test.

$ dnf -y install docker
$ systemctl start docker
$ docker pull registry.fedoraproject.org/fedora

N/A (not a System Wide Change)

User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? No (not a System Wide Change)
  • Blocks product? N/A

Documentation

FIXME

Release Notes