Skip to content

Add instructions to use a local registry with the function builder on faasd #410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 3, 2025
Merged

Add instructions to use a local registry with the function builder on faasd #410

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 99 additions & 11 deletions docs/edge/builder.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,20 +11,83 @@ The builder runs as a non-root user making use of user namespaces in Linux.
* Docker must not be installed on the host system.
* faasd-pro version 0.2.23 or later is required.

## Create a registry secret
## Configure a registry

For testing purposes, you can use an ephemeral registry which requires no authentication such as [ttl.sh](https://ttl.sh).
We will be deploying a local container registry as an additional service with faasd and configure the function builder to push images to it.

Bear in mind that this ephemeral cluster is public, and have much more latency than your final production setup.
Create the credentials that will be used to login to the registry. The following commands create credentials for a user named faasd.
The credentials are saved to the file `/var/lib/faasd/registry/auth/htpasswd` in a hashed format, you’ll also need to take a copy of the plaintext version of the password, so that you can authenticate
to the registry.

```bash
sudo tee /var/lib/faasd/secrets/docker-config <<EOF
{
}
Ensure `htpasswd`is installed on your system:

```sh
# On Debian run:
sudo apt install apache2-utils

# On RHEL run:
sudo dnf install httpd-tools
```

```sh
export PASSWORD=$(openssl rand -base64 16)
echo $PASSWORD > ~/registry-password.txt

htpasswd -Bbc ./htpasswd faasd $PASSWORD
sudo mv ~/htpasswd /var/lib/faasd/registry/auth/htpasswd
```

Create a configuration file for the registry:

```sh
sudo cat >> /var/lib/faasd/registry/config.yml <<EOF
version: 0.1
log:
accesslog:
disabled: true
level: warn
formatter: text

storage:
filesystem:
rootdirectory: /var/lib/registry
auth:
htpasswd:
realm: basic-realm
path: /etc/registry/htpasswd
http:
addr: 0.0.0.0:5000
relativeurls: false
draintimeout: 60s
EOF
```

For production use, create a secret with a proper authenticated registry, see the notes on the [Function Builder API for Kubernetes](/openfaas-pro/builder).
Create a crednetials file that can be use by faasd and the pro-builder to push and pull images from the registry. The faas-cli has a utility command that can be used to create the credentials file:

```sh
cat ~/registry-password.txt | faas-cli registry-login \
--server http://registry:5000 \
--username faasd \
--password-stdin
```

We are using the `--server` flag to point to the local registry using its internal service name and port.

The file will be created in the `.credentials` folder. Copy the file so that it can be accessed by faasd and the function builder:

```sh
# Ensure faasd-provider can pull images from the faasd service".
sudo cp ./credentials/config.json /var/lib/faasd/.docker/config.json
# Ensure the pro-builder can mount the credentials file.
sudo cp ./credentials/config.json /var/lib/faasd/secrets/docker-config
```

Just like the registry the function builder will be running as a faasd service and is able to reach the registry using the internal service name.
To be able to access the registry from the host machine, update the `/etc/hosts` file. This ensures the faasd-provider can also access the registry using the same service name.

```sh
echo "127.0.0.1 registry" | sudo tee -a /etc/hosts
```

## Create a payload secret

Expand All @@ -39,6 +102,24 @@ openssl rand -base64 32 | sudo tee /var/lib/faasd/secrets/payload-secret
Add the following services to your `docker-compose.yaml` file:

```yaml
registry:
image: docker.io/library/registry:3
volumes:
- type: bind
source: ./registry/data
target: /var/lib/registry
- type: bind
source: ./registry/auth
target: /etc/registry/
read_only: true
- type: bind
source: ./registry/config.yml
target: /etc/docker/registry/config.yml
read_only: true
deploy:
replicas: 1
ports:
- "127.0.0.1:5000:5000"
pro-builder:
depends_on: [buildkit]
user: "app"
Expand Down Expand Up @@ -113,11 +194,19 @@ Add the following services to your `docker-compose.yaml` file:

Now use faas-cli to perform a test build on the faasd host directly.

Scaffold a new function for testing:

```bash
faas-cli new --lang python3-http \
--prefix ttl.sh/openfaas-tests \
--prefix registry:5000/functions \
pytest
```

The `--prefix` flag is used to set prefix for the function image to our local registry.

Build the function using the function builder API and deploy it:

```bash
sudo cp /var/lib/faasd/secrets/payload-secret ./payload-secret

faas-cli up \
Expand Down Expand Up @@ -149,7 +238,7 @@ faas-cli up \
curl -s http://127.0.0.1:8080/function/pytest
```

The second run will be quicker due to caching, however the temporary ttl.sh registry will still slow things down more than you'll see in production.
The second run will be quicker due to caching.

## Turn off access to the Function Builder API via the host

Expand All @@ -161,4 +250,3 @@ You should be calling the function builder via its internal service name http://
ports:
- "127.0.0.1:8088:8080"
```