Support docker registry mirrors without URI

Using a URI has not be allowed for many years [0], however this code was not enforced until 17.10 docker [1]. Sadly, we need to setup 2 different vhost ports for this, old 1.13.1 clients will not work properly if they are combined with new. Keep original logic working on 8081 and move 17.10+ clients to 8082. [0] https://github.com/docker/docker-ce/blob/17.06/components/engine/registry/config.go#L339 [1] 1cc36398f9 Change-Id: I837f562331603a7c00f9ba8554b6aa2975169eeb Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2018-02-08 13:48:14 -05:00 · 2018-02-08 13:48:14 -05:00 · d3b2b29726
commit d3b2b29726
parent 0b69ecda40
2 changed files with 59 additions and 1 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -633,7 +633,7 @@ node /^mirror\d*\..*\.openstack\.org$/ {
  $group = "mirror"

  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 8080, 8081],
+    iptables_public_tcp_ports => [22, 80, 8080, 8081, 8082],
    sysadmins                 => hiera('sysadmins', []),
    afs                       => true,
    afs_cache_size            => 50000000,  # 50GB
--- a/modules/openstack_project/templates/mirror.vhost.erb
+++ b/modules/openstack_project/templates/mirror.vhost.erb
@ -11,6 +11,9 @@ NameVirtualHost <%= @vhost_name %>:8080
 Listen 8081
 NameVirtualHost <%= @vhost_name %>:8081

+Listen 8082
+NameVirtualHost <%= @vhost_name %>:8082
+
 <VirtualHost <%= @vhost_name %>:<%= @port %>>
    ServerName <%= @srvname %>
    <% if @serveraliases.is_a? Array -%>
@ -253,3 +256,58 @@ NameVirtualHost <%= @vhost_name %>:8081
    ProxyPassReverse "/cloudfront/" "https://dseasb33srnrn.cloudfront.net/"

 </VirtualHost>
+
+<VirtualHost <%= @vhost_name %>:8082>
+    ServerName <%= @srvname %>:8082
+    <% if @serveraliases.is_a? Array -%>
+      <% @serveraliases.each do |name| -%>
+        <%= "  ServerAlias #{name}:8082\n" %>
+      <% end %>
+    <% elsif @serveraliases != nil -%>
+      <%= "  ServerAlias #{@serveraliases}:8082" -%>
+    <% end %>
+
+    # Disable directory listing by default.
+    <Directory />
+      Order Deny,Allow
+      Deny from all
+      Options None
+      AllowOverride None
+    </Directory>
+
+    ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8082_error.log
+    LogLevel warn
+    CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8082_access.log combined
+    ServerSignature Off
+
+    # Caching reverse proxy for things that don't make sense in AFS
+    #
+    # General cache rules
+    CacheRoot "/var/cache/apache2/proxy"
+    CacheDirLevels 5
+    CacheDirLength 2
+    # SSL support
+    SSLProxyEngine on
+    # Prevent thundering herds.
+    CacheLock on
+    CacheLockPath "/tmp/mod_cache-lock"
+    CacheLockMaxAge 5
+    # 5GiB
+    CacheMaxFileSize 5368709120
+    # Ignore expire headers as the urls use sha256 hashes.
+    CacheIgnoreQueryString On
+    CacheStoreExpired On
+
+    # NOTE(SamYaple): Docker has historically not allowed to have anything in
+    # the URI, but it wasn't enforced until they started validating the config
+    # in docker-ce 17.10. Prior to that, it was working fine.
+    CacheEnable disk  "/"
+    ProxyPass "/" "https://registry-1.docker.io/" ttl=120 keepalive=On retry=0
+    ProxyPassReverse "/" "https://registry-1.docker.io/"
+
+    # dseasb33srnrn.cloudfront.net
+    CacheEnable disk "/cloudfront"
+    ProxyPass "/cloudfront/" "https://dseasb33srnrn.cloudfront.net/" ttl=120 keepalive=On retry=0
+    ProxyPassReverse "/cloudfront/" "https://dseasb33srnrn.cloudfront.net/"
+
+</VirtualHost>