-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Global Built-In Registry - Using Harbor #1738
Comments
Docker registry runs with Docker very easily, I am not sure of the plus value, maybe with some hooks that for instance, could restart Rancher services when you push a new image. |
"very easily" doesn't really go too well with registry 2.0. Setting up the required certificates and the backing store is mandatory if you intend to actually use instead of just playing around with it, so I think there's plenty of added value there. It's not just |
I've just been setting up a registry and for me there would be a lot of value if Rancher could:
|
+1 |
Keep the +1's coming :). If we get enough requests will do something along the lines of what @JamesBarwell suggested. FYI @cloudnautique |
+1 |
Yeah +1. I see this feature almost like resting on a distributed volume
|
+1 |
4 similar comments
+1 |
👍 |
+1 |
👍 |
tl;dr Don't see built-in private registry as an option just because you have to setup storage. That means that you would need to have some configuration on admin panel before starting it. But since I've read the issue #1272 a few minutes ago, it seems a better solution for this case. EDIT: just because it seems you could setup options on templates, IMHO that discards the need of built that in. |
Templates still need to ultimately deploy a docker image, which comes from a registry, and people don't necessarily want their image in public DockerHub... |
@cusspvz I do not see quite the connection between docker registry and templates. A built in docker registry in rancher would mean to me
|
@vincent99 yep, but registry image is public, which mean you could have a template that creates a private registry service on your hosts, allows to configure storage (to prevent issues with later reboots) and its up and running as it was built-in. You could even launch multiple private registries with for different teams or stacks. :) |
That should be useful, but rancher allows you to add any registry right?
My idea covers that also, well, as it runs as a normal service, you could also say in which hosts should the registry run.
That should be triggered by the CD software, not by the registry. Example: tests workflow could vary between companies, if a company needs to push images so it could be tested by worker services, this would be a hassle. So, Continuous Development Software should be the one who triggers an upgrade (not difficult if you use
Allowable by the templating feature
A fork of registry could be created for rancher to do just that |
+1 :D |
+1! |
+1 |
2 similar comments
+1 |
+1 |
There is a nice project to manage private docker registry v2 token authentication named Portus. May be it can be integrated into rancher. |
@gbisheimer I quickly scoped Protus and it has several configuration issues which prevent it running in production mode just from docker-compose.yml and one nasty bug when tagging images. 👍 To keep it simple I would suggest registry:2 behind nginx proxy with htpasswd read/write ACL and use SSL certs stored in Rancher. |
+1 |
I agree with @mishak87. I tried standing Portus up on rancher, and it would require a few modifications in order to run properly w/o initialization by the user. It also locked up one of my hosts by filling up the HD. I'm not sure why though; I didn't do a postmortem. |
@mishak87, before finding Portus I also found this blog that explains how to setup docker_auth to use the new docker registry v2 token-authentication. This is a nice feature that allows to have more fine-grained access control to the registry images. The nice thing about Portus is that it uses token authentication and manages namespaces, teams and users, and allow to limit the access level (owner, collaborator, viewer) of different team members to the registry. Sure it's not usable in production right now, and also it may need to be ported from Rails before including it in Rancher, but it's a starting point. Registry proxy cache is also a nice feature that should be included |
Acceptance Criteria for Alpha [ ] Have a HA cluster with local cluster enabled, add a PV using NFS to the local cluster. Enable Harbor using the PV option. - Only Admin |
verified on rancher:master
|
verified on rancher: master
Known issue:
|
verified on rancher: master
|
verified on rancher: master enable Harbor using EBS as the Storage Class
|
I've been poring over past (closed) issues, and see no explicit mention of this, so thought it best to ask even if it's only to have it filed away for future reference:
This would be an added value (i.e., deploy Rancher, have a complete solution) and might also do away with a fair amount of issues of various kinds regarding trusting private registries.
The text was updated successfully, but these errors were encountered: