Well, I would prefer to keep this down to only things that actually need that access, at least to start.

Can we start out with a 'deny by default' policy, and add specific ips as we need them and can justify them having access?

Replying to [comment:1 kevin]:

Well, I would prefer to keep this down to only things that actually need that access, at least to start.

Can we start out with a 'deny by default' policy, and add specific ips as we need them and can justify them having access?

I'm not sure I follow. We already have it deny by default for 'docker push' based on certs provisioned and configured in the Infra but right now the only "blessed" place to install those certs and have a 'docker push' run from is in OSBS. I would like to have somewhere else to do this but it requires the docker daemon and I know that traditionally docker has been a no-go for Infra. I'm not asking to run services in docker, just be able to have a point of origin to inject content (base images or otherwise) into our registry for support of OSBS.

well, I guess I don't understand the request. ;)

Perhaps we could back up a bit... what sorts of reasons and how often would you have to 'docker push' ?

I guess this sounds like a new instance 'docker-mgmt01'? or the composer hosts (compose-x86-01, etc)?

Main reason is to push new base images from the standard and rawhide compose processes into the registry so that the OSBS system can pull them into the buildroots as well as when we bootstrap a deploy of OSBS we need to make sure we have various !OpenShift related "infrastructure images". The reason for the !OpenShift "infrastructure images" is that some of !OpenShift's services are run in containers and managed by the !OpenShift orchestration primitives (can be mapped to kubernetes primitives such as pods).

I think the composer hosts would be appropriate, the frequency is likely once a month at best and/or every time we decide to completely tear down OSBS and the registry in stage for a redeploy. I know that there have been discussions lead by dgilmore about pushing rawhide docker base images to our registry nightly as a part of the compose so this might just logistically align with that.

Sure, that sounds fine to me...we can adjust if it seems we need other places.

I would like to propose the following change to Ansible to enable this.

{{{
diff --git a/playbooks/groups/docker-registry.yml b/playbooks/groups/docker-registry.yml
index e9d33e2..3f692f8 100644
--- a/playbooks/groups/docker-registry.yml
+++ b/playbooks/groups/docker-registry.yml
@@ -91,3 +91,27 @@
},
when: env == "production"
}
+
+- name: Setup compose-x86-01 push docker images to registry.stg.fp.o
+ hosts: compose-x86-01.phx2.fedoraproject.org
+ user: root
+ gather_facts: True
+ tags:
+ - releng-compose
+
+ vars:
+ docker_cert_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org"
+
+ - include: "{{playbooks}}/include/push-docker-registry.yml"
+
+- name: Setup compose-x86-01 push docker images to registry.fp.o
+ hosts: compose-x86-01.phx2.fedoraproject.org
+ user: root
+ gather_facts: True
+ tags:
+ - releng-compose
+
+ vars:
+ docker_cert_dir: "/etc/docker/certs.d/registry.fedoraproject.org"
+
+ - include: "{{playbooks}}/include/push-docker-registry.yml"
diff --git a/playbooks/groups/osbs-master.yml b/playbooks/groups/osbs-master.yml
index 4ea9392..f06849c 100644
--- a/playbooks/groups/osbs-master.yml
+++ b/playbooks/groups/osbs-master.yml
@@ -45,29 +45,7 @@
src: "{{files}}/osbs/docker-storage-setup"
dest: "/etc/sysconfig/docker-storage-setup"

• • name: install docker

• action: "{{ ansible_pkg_mgr }} name=docker state=installed"

• • name: ensure docker daemon cert dir exists
• file:
• path: "{{docker_cert_dir}}"

• state: directory

• • name: install docker client cert for registry
• copy:
• src: "{{private}}/files/koji/containerbuild.cert.pem"

• dest: "{{docker_cert_dir}}/client.cert"

• • name: install docker client key for registry
• copy:
• src: "{{private}}/files/koji/containerbuild.key.pem"

• dest: "{{docker_cert_dir}}/client.key"

• • name: run docker-storage-setup

• shell: "docker-storage-setup"

• • name: start and enable docker
• service: name=docker state=started enabled=yes

• • include: "{{playbooks}}/include/push-docker-registry.yml"

  • name: create cert dir for openshift public facing REST API SSL
    file:
    diff --git a/playbooks/include/push-docker-registry.yml b/playbooks/include/push-docker-registry.yml
    new file mode 100644
    index 0000000..9bc56e7
    --- /dev/null
    +++ b/playbooks/include/push-docker-registry.yml
    @@ -0,0 +1,30 @@
    +# NOTES:
    +#
    +# This include playbook is to provide the ability for a host to push docker
    +# images to the Fedora docker registriy.
    +#
    +# Requirements:
    +# docker_cert_dir - Anywhere this playbook is included must have this defined
    +# Example value: /etc/docker/certs.d/$REGISTRY_HOSTNAME/
    +# (Where $REGISTRY_HOSTNAME="registry.fedoraproject.org" or similar)
    +
    +- name: install docker

  • action: "{{ ansible_pkg_mgr }} name=docker state=installed"
    +
    +- name: ensure docker daemon cert dir exists
  • file:
  • path: "{{docker_cert_dir}}"
  • state: directory
    +
    +- name: install docker client cert for registry
  • copy:
  • src: "{{private}}/files/koji/containerbuild.cert.pem"
  • dest: "{{docker_cert_dir}}/client.cert"
    +
    +- name: install docker client key for registry
  • copy:
  • src: "{{private}}/files/koji/containerbuild.key.pem"
  • dest: "{{docker_cert_dir}}/client.key"
    +
    +- name: start and enable docker
  • service: name=docker state=started enabled=yes

}}}

That seems ok to me.

Or would it be more clear to make this a role and include it in the needed playbooks just as a role?

Replying to [comment:7 kevin]:

That seems ok to me.

Or would it be more clear to make this a role and include it in the needed playbooks just as a role?

Yeah, that makes more sense ... I'll do that.

Setup as a role, looking forward to feedback! :)

{{{
diff --git a/playbooks/groups/docker-registry.yml b/playbooks/groups/docker-registry.yml
index e9d33e2..1de2af7 100644
--- a/playbooks/groups/docker-registry.yml
+++ b/playbooks/groups/docker-registry.yml
@@ -91,3 +91,24 @@
},
when: env == "production"
}
+
+- name: Setup compose-x86-01 push docker images to registry
+ hosts: compose-x86-01.phx2.fedoraproject.org
+ user: root
+ gather_facts: True
+ tags:
+ - releng-compose
+
+ roles:
+ - {
+ role: push-docker,
+ docker_cert_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org",
+ private: {{private}},
+ when: env == "staging"
+ }
+ - {
+ role: push-docker,
+ docker_cert_dir: "/etc/docker/certs.d/registry.fedoraproject.org",
+ private: {{private}},
+ when: env == "production"
+ }
diff --git a/playbooks/groups/osbs-master.yml b/playbooks/groups/osbs-master.yml
index 4ea9392..6127fe9 100644
--- a/playbooks/groups/osbs-master.yml
+++ b/playbooks/groups/osbs-master.yml
@@ -45,30 +45,6 @@
src: "{{files}}/osbs/docker-storage-setup"
dest: "/etc/sysconfig/docker-storage-setup"

• • name: install docker

• action: "{{ ansible_pkg_mgr }} name=docker state=installed"

• • name: ensure docker daemon cert dir exists
• file:
• path: "{{docker_cert_dir}}"

• state: directory

• • name: install docker client cert for registry
• copy:
• src: "{{private}}/files/koji/containerbuild.cert.pem"

• dest: "{{docker_cert_dir}}/client.cert"

• • name: install docker client key for registry
• copy:
• src: "{{private}}/files/koji/containerbuild.key.pem"

• dest: "{{docker_cert_dir}}/client.key"

• • name: run docker-storage-setup

• shell: "docker-storage-setup"

• • name: start and enable docker

• service: name=docker state=started enabled=yes

  • name: create cert dir for openshift public facing REST API SSL
    file:
    path: "/etc/origin/master/named_certificates"
    @@ -94,6 +70,20 @@
    src: "{{private}}/files/httpd/osbs.htpasswd"
    dest: /etc/origin/htpasswd

• roles:

• • {
• role: push-docker,
• docker_cert_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org",
• private: {{private}},
• when: env == "staging"
• }
• • {
• role: push-docker,
• docker_cert_dir: "/etc/docker/certs.d/registry.fedoraproject.org",
• private: {{private}},
• when: env == "production"
• }
  +
• name: setup osbs
  hosts: osbs:osbs-stg
  vars_files:
  diff --git a/roles/push-docker/tasks/main.yml b/roles/push-docker/tasks/main.yml
  new file mode 100644
  index 0000000..204c0bf
  --- /dev/null
  +++ b/roles/push-docker/tasks/main.yml
  @@ -0,0 +1,23 @@
  +---
  +# tasks file for push-docker
  +#
  +- name: install docker
• action: "{{ ansible_pkg_mgr }} name=docker state=installed"
  +
  +- name: ensure docker daemon cert dir exists
• file:
• path: "{{docker_cert_dir}}"
• state: directory
  +
  +- name: install docker client cert for registry
• copy:
• src: "{{private}}/files/koji/containerbuild.cert.pem"
• dest: "{{docker_cert_dir}}/client.cert"
  +
  +- name: install docker client key for registry
• copy:
• src: "{{private}}/files/koji/containerbuild.key.pem"
• dest: "{{docker_cert_dir}}/client.key"
  +
  +- name: start and enable docker
• service: name=docker state=started enabled=yes

}}}

Looks good. Shipit!

Replying to [comment:10 kevin]:

Looks good. Shipit!

+1 - Thanks!