Hi Hongbin
Thanks for starting this thread,I initial propose this bp because I am in China which is behind China great wall and can not have access of gcr.io directly, after checking our cloud-init script, I see that
lots of code are *hard coded* to using gcr.io, I personally though this is not good idea. We can not force user/customer to have internet access in their environment.
I proposed to use insecure-registry to give customer/user (Chinese or whom doesn't have gcr.io access) a chance to switch use their own insecure-registry to deploy
k8s/swarm bay. For your question:>Is the private registry secure or insecure? If secure, how to handle the authentication secrets. If insecure, is it OK to connect a secure bay to an insecure registry? An insecure-resigtry should be 'secure' one, since customer need to setup it and make sure it's clear one and in this case, they could be a private cloud.
Should we provide an instruction for users to pre-install the private
registry? If not, how to verify the correctness of this feature?The simply way to pre-install private registry is using insecure-resigtry and docker.io has very simple steps to start it [1] for other, docker registry v2 also supports using TLS enable mode but this will require to tell docker client key and crt file which will make "support-private-registry" complex.
[1] https://docs.docker.com/registry/ [2]https://docs.docker.com/registry/deploying/ On 2016年03月30日 07:23, Hongbin Lu wrote:
Hi team,This is the item we didn’t have time to discuss in our team meeting, so I started the discussion in here.Here is the blueprint: https://blueprints.launchpad.net/magnum/+spec/support-private-registry . Per my understanding, the goal of the BP is to allow users to specify the url of their private docker registry where the bays pull the kube/swarm images (if they are not able to access docker hub or other public registry). An assumption is that users need to pre-install their own private registry and upload all the required images to there. There are several potential issues of this proposal:·Is the private registry secure or insecure? If secure, how to handle the authentication secrets. If insecure, is it OK to connect a secure bay to an insecure registry?·Should we provide an instruction for users to pre-install the private registry? If not, how to verify the correctness of this feature?Thoughts? Best regards, Hongbin __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-- Best Regards, Eli Qiao (乔立勇) Intel OTC China
<<attachment: liyong_qiao.vcf>>
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
