Univention Bugzilla – Bug 52344
Allow to change docker registry
Last modified: 2021-01-27 10:02:24 CET
Docker.com announced August 2020 that they will rate-limit access to https://hubd.docker.com/ to 100 requests / hour: <https://www.docker.com/blog/scaling-docker-to-serve-millions-more-developers-network-egress/> This is now enforced since November 1st 2020. This breaks GitLab which does a lot of requests and is easily over that limit. This can be mitigated by setting up a (local) mirror, which is used for the bulk download: <https://git.knut.univention.de/univention/internal/repo-ng/-/issues/70> We need a way to allow user to add > "registry":["http://my.host.name:5000"] to /etc/docker/daemon.json. On UCS this is a UCS templated file, which currently does not support this: /etc/univention//templates/files/etc/docker/daemon.json Internal Issue: https://git.knut.univention.de/univention/internal/repo-ng/-/issues/70
Proposed patch: <https://git.knut.univention.de/univention/ucs/-/commit/89f6427b2418b9bb420131c88e21b208f64e4512> Idee: Add new UCRV `docker/daemon/default/json` which can be used to setup arbitrary JSON data, which is mixed in /etc/docker/daemon.json. This way an experienced user can at least set arbitrary options, many all options shown by `dockerd --help`. @QA: Test on xen1 worked, doing a `docker pull node` can be seen with `ssh docker-registry.knut.univention.de sudo -s docker logs -f docker-registry-internal` (In reply to Philipp Hahn from comment #0) > This can be mitigated by setting up a (local) mirror, which is used for the > bulk download: <...> This was supposed to be <https://about.gitlab.com/blog/2020/10/30/mitigating-the-impact-of-docker-hub-pull-requests-limits/>
Updated patch due to ucs-lint errors: See URL in Bugzilla Header (In reply to Philipp Hahn from comment #0) > We need a way to allow user to add > > "registry":["http://my.host.name:5000"] That should have been "repository-mirrors", e.g.: > ucr set docker/daemon/default/json='{"registry-mirrors":["http://docker-registry.knut.univention.de:5000"]}'
The following no longer works as /etc/default/docker is not used by /lib/systemd/system/docker.service: ucr set docker/daemon/default/opts/registry-mirrors=http://docker-registry.knut.univention.de:5001/ WARNING: A "Pull Through Cache Registry" no longer allows uploads! <https://docs.docker.com/registry/spec/api/#on-failure-not-allowed> Therefore we now have a 2nd internal registry :5001 configured for "pull through" only.
Package: univention-docker Version: 4.0.1-10A~4.4.0.202012171138 Branch: ucs_4.4-0 Scope: errata4.4-7 commits 4.4-7: a74cd4aedb13fb262fdd8182022ba7a831ef3938 (yaml) b0a0906985a01fe89a9a182cf8becf81ddcbe077 (changelog) a2b5d2f79c8d95accd790874b5f9897e5a25ee4b (features) Two UCR variables were added to solve the issue: docker/daemon/default/opts/registry-mirrors - dedicated ucr variable for defining custom docker registry mirrors docker/daemon/default/json - offers a way to configure arbitrary JSON encoded data, which gets mixed into the Docker daemon configuration file. So it is possible to add any option to the docker daemon config file without the need of specific UCR variables. For this Bug only the first UCR variable would solve the problem but because docker/daemon/default/json offers great flexibility when it comes to the docker daemon config file we decided to keep both variables in the product.
TODO: Merge Request -> ucr set docker/daemon/default/opts/registry-mirrors='http://docker-registry.knut.univention.de:5000' { "bip": "172.17.42.1/16", ... }, "registry-mirrors": [ "http://docker-registry.knut.univention.de:5000" ] } -> ucr set docker/daemon/default/json='{"registry-mirrors":["http://new-registry.knut.univention.de:5000"]}' { "bip": "172.17.42.1/16", ... "registry-mirrors": [ "http://new-registry.knut.univention.de:5000" ] } OK - univention-docker OK - ucr description OK - yaml
created 5.0-0 merge request: https://git.knut.univention.de/univention/ucs/-/merge_requests/54
OK
Philipp requested changes during merge request review. They probably needs to be done in UCS 4.4-7 as well. I am reopening the bug so that it doesn't yet get accidentally released.
The requested changes have been applied to 4.4-7 and 5.0-0 merge request
ok
<https://errata.software-univention.de/#/?erratum=4.4x868>
(In reply to Florian Best from comment #9) > Philipp requested changes during merge request review. They probably needs > to be done in UCS 4.4-7 as well. I am reopening the bug so that it doesn't > yet get accidentally released. Why did you ignore the merge request comments during QA? (I don't know how relevant they are).