-
Notifications
You must be signed in to change notification settings - Fork 80
Support logging in to a private registry before launch #104
Conversation
Hey DRuggeri! Thanks for submitting this pull request! I'm here to inform the recipients of the pull request that you and the commit authors have already signed the CLA. |
We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story. The labels on this github issue will be updated when the story is started. |
@DRuggeri I have two thoughts - 1) perhaps move this into the |
Thanks for the feedback, @drnic. No problem with naming it I have no problem moving it to the docker job - I think the following would work well there:
The one thing I wonder... with it being in the containers job, we would do the login pretty much right before the image would be pulled. This gives us a high degree of confidence that the login token is valid. I think it may be possible that a token obtained right after docker daemon start might expire when the containers job attempts to use it at some later time. For example... ... does that sound like a realistic issue? |
Gotcha on the issue of Thought: I'm assuming that all the occasions that Is there another occurrence of another bosh job wanting to use |
I'm not sure if any other job would want to use Thanks for explaining your assumptions - this is where I'm seeking a bit of guidance. The assumption on my part is that a change only to the So, I guess that's the only question that's plaguing me - is it safe to assume that the |
I feel confident that if you move this code to docker job then your containers job will keep work. But test it first ;)
…________________________________
From: Daniel Ruggeri <notifications@github.com>
Sent: Thursday, February 8, 2018 5:15:20 PM
To: cloudfoundry-incubator/docker-boshrelease
Cc: Dr Nic Williams; Mention
Subject: Re: [cloudfoundry-incubator/docker-boshrelease] Support logging in to a private registry before launch (#104)
I'm not sure if any other job would want to use docker (job or command? I assume you mean command). At the least, we know that the containers job uses it which is why a login in the docker job would be enough to permit a pull of the image from the containers job. However, it's probably not safe to assume the containers job is the only consumer of the docker daemon as laid down by the docker job.
Thanks for explaining your assumptions - this is where I'm seeking a bit of guidance. The assumption on my part is that a change only to the containers job would cause bosh to update only that job. This would have the effect of causing monit to trigger the ctl script for the containers job only. If the expiry of the token from the login in the docker job has elapsed in that time, such a restart would cause a failure pulling from the registry.
So, I guess that's the only question that's plaguing me - is it safe to assume that the docker job will have been started or restarted just before the container job? If so, we're golden and I'll go ahead and move it. If not, maybe a sane response would be to add login capabilities to both jobs to cover all bases?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#104 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAAAbKk-JhOBNPkJsYzEEpA4YfbJP5bEks5tS3H4gaJpZM4R3lgO>.
|
Thanks, @drnic. Try as I did, I couldn't get it to fail the way I thought it would. I've modified the PR as suggested to do the login in the Any additional feedback is greatly welcomed. |
done | ||
|
||
# Log in to any registries | ||
<% p('logins', []).each do |login| %> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for not thinking of this before as we were discussing different aspects of the PR - I think this setup of docker login
might go well in a pre-start hook https://bosh.io/docs/post-start.html
As a bonus then we don't need to change the exec dockerd
as above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, I'm sorry for suggestion subsequent changes. I know it can annoy me when someone doesn't just press the "Merge PR" button ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem - what's right is right so we should just aim for that.
I can do that. I hope to have an update in later today.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So things turned out a little funky when moving this to post-start
. When running in combination with the containers
job, the start of containers
fails because it "depends" on the post-start of the docker
job being successful. Bosh won't move to post-start
hooks if any of the start
hooks fail, so we never get to the point that the login happens. Basically, a circular dependency...
I think we may be stuck with this logic in the start
hook of the docker
job after all.
@@ -132,3 +132,10 @@ properties: | |||
store_dir: | |||
description: "Path to use as the root of the Docker runtime" | |||
default: "/var/vcap/store" | |||
|
|||
logins: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks simple and nice.
Thanks for investigating the alternate! The CFCR team have a tracker story
scheduled to review + merge the PR soon.
|
hey @DRuggeri, sorry for failing to respond for so long. The team is uncomfortable with this change. Particularly the
Closing for now but we can keep the conversation going and re-open if there is another potential solution. |
I'm watching this repo and I'm jumping in because was curious about this After doing some testing around There is no reason why we would need to protect the And when the So, I would confirm the But there's one problem left. When @DRuggeri asks:
He's right, the question is relevant. Co-located jobs are started in no particular order with BOSH. So no one should assume that any jobs starts before the others. That's why this “login” feature should be implemented in the @DRuggeri, are you OK to move the |
Sorry for the super slow reply. It's been hectic. @glestaris, I'm good with removing nohup and doing some testing around that based on the reply from @bgandon. No problem... so long as it scratches the itch of using a private registry in the long run. If you can confirm the Regarding @bgandon's comments about flipping this over to I think a simple, happy medium could be to move the login logic to the Thoughts? I am very motivated to see this make it upstream... if for any reason, so I don't have to maintain a custom patch 😁. |
@DRuggeri would be really great to have this feature in the upstream... I would really need it ;) |
@Onke, agreed, but it doesn't seem like the maintainers are too interested. Still awaiting feedback. |
Simple patch that adds a few attributes to the job's properties to support logging in to a private registry.