summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrançois Charlier <francois.charlier@redhat.com>2019-09-05 15:29:00 +0200
committerFrançois Charlier <francois.charlier@redhat.com>2019-09-05 18:06:58 +0200
commitc890627c7e8eac998060c56299201df80e5c5525 (patch)
tree86daff7882859572b33078d3817727a856595747
parent5d3c93860d4930ad5a3e826e77ef7ed4bd1ac1fa (diff)
Put docker-registry into read-only mode during gc
docker-registry's doc suggests this in the garbage-collect doc [1] and asserts this in the readonly parameter doc [2]. [1] https://docs.docker.com/registry/garbage-collection/#more-details-about-garbage-collection [2] https://docs.docker.com/registry/configuration/#maintenance Change-Id: I9b681f6a3f5653acca4c07ab945ba9b1b7a01df3
-rwxr-xr-xfiles/fetch_images.py14
-rw-r--r--tasks/main.yml29
-rw-r--r--templates/docker_distribution.yml.j23
3 files changed, 34 insertions, 12 deletions
diff --git a/files/fetch_images.py b/files/fetch_images.py
index 91ea01f..506fff3 100755
--- a/files/fetch_images.py
+++ b/files/fetch_images.py
@@ -20,7 +20,6 @@ import sys
import docker
import requests
-import subprocess
import yaml
client = docker.from_env()
@@ -59,7 +58,8 @@ def list_existing_tags(image):
else:
raise Exception(r.text)
-# If we remove all the tag of the existing image, we won't be able to actuallly
+
+# If we don't remove all the tag of the existing image, we won't be able to actually
# delete it from the registry. As a result, the registry size will grow up indefinitely.
# Any tag can potentially be already used by an image and by the last "string"
# attached to it. So before we apply a tag, we delete any potential existing tag.
@@ -92,14 +92,6 @@ def purge_image_from_local_docker(image):
client.remove_image(image['Id'], force=True)
-def call_registry_gc():
- print('Calling the registry garbage collector')
- subprocess.check_call([
- '/usr/bin/registry',
- 'garbage-collect',
- '/etc/docker-distribution/registry/config.yml'])
-
-
def main():
if len(sys.argv) <= 1:
print('\nError: images_list.yaml path required\nusage: %s ./images_list.yaml' % sys.argv[0])
@@ -135,7 +127,7 @@ def main():
images_to_purge.append(image)
for image in images_to_purge:
purge_image_from_local_docker(image)
- call_registry_gc()
+
if __name__ == '__main__':
main()
diff --git a/tasks/main.yml b/tasks/main.yml
index 88307ce..8f114ec 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -50,6 +50,8 @@
template:
src: docker_distribution.yml.j2
dest: /etc/docker-distribution/registry/config.yml
+ vars:
+ registry_readonly: false
become: true
notify: registry restart
@@ -75,7 +77,7 @@
path: '{{ dci_sync_registry_images_list }}'
regexp: '.*-{{ item }}.*'
state: absent
- with_items: '{{ dci_sync_registry_skip_list }}'
+ with_items: '{{ dci_sync_registry_skip_list }}'
- meta: flush_handlers
@@ -92,3 +94,28 @@
DCI_REGISTRY: '{{ dci_sync_registry_remote_url }}'
DCI_REGISTRY_PASSWORD: '{{ dci_sync_registry_remote_password }}'
DCI_REGISTRY_USER: '{{ dci_sync_registry_remote_login }}'
+
+- name: Change docker-distribution to read-only mode while doing the garbage-collect
+ template:
+ src: docker_distribution.yml.j2
+ dest: /etc/docker-distribution/registry/config.yml
+ vars:
+ registry_readonly: true
+ become: true
+ notify: registry restart
+ tags: molecule-idempotence-notest
+
+- name: Run the registry garbage-collect # noqa 301
+ command: /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
+ become: true
+ tags: molecule-idempotence-notest
+
+- name: Change docker-distribution to read-only mode while doing the garbage-collect
+ template:
+ src: docker_distribution.yml.j2
+ dest: /etc/docker-distribution/registry/config.yml
+ vars:
+ registry_readonly: false
+ become: true
+ notify: registry restart
+ tags: molecule-idempotence-notest
diff --git a/templates/docker_distribution.yml.j2 b/templates/docker_distribution.yml.j2
index 298186e..5d2c728 100644
--- a/templates/docker_distribution.yml.j2
+++ b/templates/docker_distribution.yml.j2
@@ -11,3 +11,6 @@ storage:
enabled: true
http:
addr: {{ dci_sync_registry_local_ip }}:{{ dci_sync_registry_local_port }}
+maintenance:
+ readonly:
+ enabled: {{ registry_readonly | default("false") }}