diff --git a/roles/pull-from-intermediate-registry/tasks/main.yaml b/roles/pull-from-intermediate-registry/tasks/main.yaml index 4623a634b..56a5cf9e5 100644 --- a/roles/pull-from-intermediate-registry/tasks/main.yaml +++ b/roles/pull-from-intermediate-registry/tasks/main.yaml @@ -74,13 +74,18 @@ mode: 0600 # Pull the images + +# To support usage with both docker and podman, the buildset registry +# keeps "docker.io" entries un-namespaced, and any other namespaces +# are namespaced. Therefore, if we see docker.io in the repository +# name, we strip it here. - name: Pull artifacts from intermediate registry block: - name: Pull artifacts from intermediate registry command: >- skopeo --insecure-policy copy {{ item.url }} - docker://127.0.0.1:{{ socat_port }}/{{ item.metadata.repository }}:{{ item.metadata.tag }} + docker://127.0.0.1:{{ socat_port }}/{{ item.metadata.repository | regex_replace('^docker\.io/(.*)', '\1') }}:{{ item.metadata.tag }} retries: 3 register: result until: result is success diff --git a/roles/push-to-intermediate-registry/tasks/push-image.yaml b/roles/push-to-intermediate-registry/tasks/push-image.yaml index 44f76a5ed..c2bc3071c 100644 --- a/roles/push-to-intermediate-registry/tasks/push-image.yaml +++ b/roles/push-to-intermediate-registry/tasks/push-image.yaml @@ -1,7 +1,11 @@ +# To support usage with both docker and podman, the buildset registry +# keeps "docker.io" entries un-namespaced, and any other namespaces +# are namespaced. Therefore, if we see docker.io in the repository +# name, we strip it here. - name: Push tag to intermediate registry command: >- skopeo --insecure-policy copy - docker://127.0.0.1:{{ socat_port }}/{{ image.repository }}:{{ image_tag }} + docker://127.0.0.1:{{ socat_port }}/{{ image.repository | regex_replace('^docker\.io/(.*)', '\1') }}:{{ image_tag }} docker://{{ intermediate_registry.host | ipwrap }}:{{ intermediate_registry.port }}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }} retries: 3 register: result diff --git a/roles/run-buildset-registry/README.rst b/roles/run-buildset-registry/README.rst index 77262c12c..4f9f91b54 100644 --- a/roles/run-buildset-registry/README.rst +++ b/roles/run-buildset-registry/README.rst @@ -1,4 +1,4 @@ -Runs a docker registry for the use of this buildset. +Runs a container registry for the use of this buildset. This may be used for a single job running on a single node, or it may be used at the root of a job graph so that multiple jobs running for a @@ -16,6 +16,12 @@ single change can share the registry. The port on which the registry should listen. +.. zuul:rolevar:: container_command + :default: docker + + The command to use to run the registry container (E.g., ``podman``). + + **Return Values** .. zuul:rolevar:: buildset_registry diff --git a/roles/run-buildset-registry/defaults/main.yaml b/roles/run-buildset-registry/defaults/main.yaml index 407c74787..7c24e657c 100644 --- a/roles/run-buildset-registry/defaults/main.yaml +++ b/roles/run-buildset-registry/defaults/main.yaml @@ -1,2 +1,3 @@ buildset_registry_root: "{{ ansible_user_dir }}/buildset_registry" buildset_registry_port: 5000 +container_command: docker diff --git a/roles/run-buildset-registry/tasks/main.yaml b/roles/run-buildset-registry/tasks/main.yaml index ecbbccce5..853f80d45 100644 --- a/roles/run-buildset-registry/tasks/main.yaml +++ b/roles/run-buildset-registry/tasks/main.yaml @@ -2,18 +2,18 @@ become: yes package: name: - - python-docker - openssl - python-passlib + - socat state: present when: ansible_python_version is version('3', '<') - name: Install packages become: yes package: name: - - python3-docker - openssl - python3-passlib + - socat state: present when: ansible_python_version is version('3', '>=') - name: Ensure registry volume directories exists @@ -41,16 +41,21 @@ set_fact: certificate: "{{ certificate.content | b64decode }}" - name: Start the buildset registry - docker_container: - name: "{{ (buildset_registry_port == 5000) | ternary('buildset_registry', 'buildset_registry_' + buildset_registry_port|string) }}" - image: zuul/zuul-registry:latest - state: started - restart_policy: always - ports: - - "{{ buildset_registry_port }}:5000" - volumes: - - "{{ buildset_registry_root }}/tls:/tls" - - "{{ buildset_registry_root }}/conf:/conf" + command: >- + {{ container_command }} run -d + --name="{{ (buildset_registry_port == 5000) | ternary('buildset_registry', 'buildset_registry_' + buildset_registry_port|string) }}" + --restart=always + --publish="1{{ buildset_registry_port }}:5000" + --volume="{{ buildset_registry_root }}/tls:/tls" + --volume="{{ buildset_registry_root }}/conf:/conf" + docker.io/zuul/zuul-registry:latest + +# Start a socat tunnel to the buildset registry to work around +# https://github.com/containers/libpod/issues/4311 +# in case we're using podman. +- name: Start socat to work around https://github.com/containers/libpod/issues/4311 + shell: "socat -d -d TCP6-LISTEN:{{ buildset_registry_port }},fork TCP:127.0.0.1:1{{ buildset_registry_port }} 2> {{ buildset_registry_root }}/socat_port &" + - name: Set registry information fact set_fact: buildset_registry: diff --git a/roles/use-buildset-registry/README.rst b/roles/use-buildset-registry/README.rst index 2801477a0..beabcb32d 100644 --- a/roles/use-buildset-registry/README.rst +++ b/roles/use-buildset-registry/README.rst @@ -35,3 +35,15 @@ Use this role on any host which should use the buildset registry. The system user to configure to use the docker registry. The docker configuration file for this user will be updated. By default, the user Ansible is running as. + +.. zuul:rolevar:: buildset_registry_namespaces + :default: ['docker.io', 'quay.io', 'gcr.io'] + + The namespaces that the buildset registry supports. The buildset + registry will be consulted first for images in these namespaces. + Any others will be fetched only from their upstream sources. + + Add any local or third-party registries necessary here. + + The default may change in the future as more general-purpose public + registries become known. diff --git a/roles/use-buildset-registry/__init__.py b/roles/use-buildset-registry/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/roles/use-buildset-registry/defaults/main.yaml b/roles/use-buildset-registry/defaults/main.yaml new file mode 100644 index 000000000..137d00966 --- /dev/null +++ b/roles/use-buildset-registry/defaults/main.yaml @@ -0,0 +1,4 @@ +buildset_registry_namespaces: + - docker.io + - quay.io + - gcr.io diff --git a/roles/use-buildset-registry/library/__init__.py b/roles/use-buildset-registry/library/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/roles/use-buildset-registry/library/modify_registries_conf.py b/roles/use-buildset-registry/library/modify_registries_conf.py new file mode 100644 index 000000000..904240f16 --- /dev/null +++ b/roles/use-buildset-registry/library/modify_registries_conf.py @@ -0,0 +1,77 @@ +# Copyright 2019 Red Hat, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import os + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils import remarshal + + +def get_location(prefix, location): + # To support usage with both docker and podman, the buildset + # registry keeps "docker.io" entries un-namespaced. + if prefix == 'docker.io': + return location + else: + return location + '/' + prefix + + +def ansible_main(): + module = AnsibleModule( + argument_spec=dict( + path=dict(required=True, type='path'), + buildset_registry=dict(type='raw'), + buildset_registry_alias=dict(type='str'), + namespaces=dict(type='raw'), + ) + ) + p = module.params + location = '%s:%s' % (p['buildset_registry_alias'], + p['buildset_registry']['port']) + + if os.path.exists(p['path']): + with open(p['path'], 'rb') as f: + input_data = f.read() + data = remarshal.decode('toml', input_data, True) + else: + data = {} + + unseen = set(p['namespaces']) + if 'registry' not in data: + data['registry'] = [] + for reg in data['registry']: + if reg['prefix'] in unseen: + unseen.remove(reg['prefix']) + else: + continue + mirrors = reg.setdefault('mirror', []) + mirrors.insert(0, { + 'location': get_location(reg['prefix'], location)}) + for prefix in unseen: + mirrors = [{'location': get_location(prefix, location)}, + {'location': prefix}] + reg = {'prefix': prefix, + 'location': prefix, + 'mirror': mirrors} + data['registry'].append(reg) + + output_data = remarshal.encode_toml(data, True) + with open(p['path'], 'wb') as f: + f.write(output_data.encode('utf8')) + + module.exit_json(changed=True, data=data) + + +if __name__ == '__main__': + ansible_main() diff --git a/roles/use-buildset-registry/tasks/main.yaml b/roles/use-buildset-registry/tasks/main.yaml index 12ee2ac4e..212669e38 100644 --- a/roles/use-buildset-registry/tasks/main.yaml +++ b/roles/use-buildset-registry/tasks/main.yaml @@ -23,16 +23,14 @@ file: state: directory path: /etc/docker -- name: Ensure buildset registry cert directory exists - become: true - file: - path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/" - state: directory - name: Write buildset registry TLS certificate become: true copy: content: "{{ buildset_registry.cert }}" - dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt" + dest: "/usr/local/share/ca-certificates/buildset-registry.crt" +- name: Update CA certs + command: update-ca-certificates + become: true # Update daemon config - name: Check if docker daemon configuration exists @@ -73,6 +71,19 @@ register: docker_restart failed_when: docker_restart is failed and not 'Could not find the requested service' in docker_restart.msg +- name: Ensure containers directory exists + become: yes + file: + state: directory + path: /etc/containers +- name: Modify registries.conf + become: yes + modify_registries_conf: + path: /etc/containers/registries.conf + buildset_registry: "{{ buildset_registry }}" + buildset_registry_alias: "{{ buildset_registry_alias }}" + namespaces: "{{ buildset_registry_namespaces }}" + # We use 'block' here to cause the become to apply to all the tasks # (which does not automatically happen with include_tasks). - name: Update docker user config to use buildset registry diff --git a/roles/use-buildset-registry/tasks/user-config.yaml b/roles/use-buildset-registry/tasks/user-config.yaml index 7aff92d4a..238262fd5 100644 --- a/roles/use-buildset-registry/tasks/user-config.yaml +++ b/roles/use-buildset-registry/tasks/user-config.yaml @@ -37,6 +37,10 @@ content: "{{ docker_config | to_nice_json }}" dest: "~/.docker/config.json" mode: 0600 +- name: Write containers auth configuration + copy: + content: "{{ docker_config | to_nice_json }}" + dest: "/run/user/{{ ansible_user_uid }}/auth.json" - name: Check if /var/lib/kubelet exists stat: path: /var/lib/kubelet diff --git a/test-playbooks/registry/docker/Dockerfile b/test-playbooks/registry/docker/Dockerfile index 609bf905a..178d518e8 100644 --- a/test-playbooks/registry/docker/Dockerfile +++ b/test-playbooks/registry/docker/Dockerfile @@ -1,2 +1,2 @@ -FROM debian:testing +FROM docker.io/library/debian:testing CMD echo "Zuul container test"; sleep infinity diff --git a/test-playbooks/registry/roles/run-test-intermediate-registry/tasks/main.yaml b/test-playbooks/registry/roles/run-test-intermediate-registry/tasks/main.yaml index ef07a9158..bfba17653 100644 --- a/test-playbooks/registry/roles/run-test-intermediate-registry/tasks/main.yaml +++ b/test-playbooks/registry/roles/run-test-intermediate-registry/tasks/main.yaml @@ -1,4 +1,5 @@ - name: Ensure registry volume directories exists + become: true file: state: directory path: "/var/registry/{{ item }}" @@ -6,6 +7,7 @@ - certs - auth - name: Install python packages + become: true package: name: - python3-docker @@ -13,6 +15,7 @@ - python3-bcrypt state: present - name: Write htpassword file + become: true htpasswd: create: true crypt_scheme: bcrypt @@ -20,27 +23,26 @@ name: "{{ intermediate_registry.username }}" password: "{{ intermediate_registry.password }}" - name: Write TLS private key + become: true copy: content: "{{ intermediate_registry_tls_key }}" dest: /var/registry/certs/domain.key - name: Write TLS certificate + become: true copy: content: "{{ intermediate_registry_tls_cert }}{{ intermediate_registry_tls_chain | default('') }}" dest: /var/registry/certs/domain.crt - name: Start intermediate docker registry - docker_container: - name: intermediate_registry - image: registry:2 - state: started - restart_policy: always - ports: - - "5000:5000" - env: - REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt - REGISTRY_HTTP_TLS_KEY: /certs/domain.key - REGISTRY_AUTH: htpasswd - REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd - REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm - volumes: - - "/var/registry/certs:/certs" - - "/var/registry/auth:/auth" + command: >- + {{ container_command }} run -d + --name="intermediate_registry" + --restart=always + --network=host + --env REGISTRY_HTTP_TLS_CERTIFICATE="/certs/domain.crt" + --env REGISTRY_HTTP_TLS_KEY="/certs/domain.key" + --env REGISTRY_AUTH="htpasswd" + --env REGISTRY_AUTH_HTPASSWD_PATH="/auth/htpasswd" + --env REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" + --volume="/var/registry/certs:/certs" + --volume="/var/registry/auth:/auth" + docker.io/library/registry:2 diff --git a/test-playbooks/registry/test-registry-post.yaml b/test-playbooks/registry/test-registry-post.yaml index 108993925..2fda35820 100644 --- a/test-playbooks/registry/test-registry-post.yaml +++ b/test-playbooks/registry/test-registry-post.yaml @@ -1,24 +1,24 @@ - hosts: all tasks: - name: List containers - command: "docker ps -a --format '{{ '{{ .Names }}' }}'" + command: "{{ container_command }} ps -a --format '{{ '{{ .Names }}' }}'" register: docker_containers ignore_errors: true - name: Create container log dir file: - path: "{{ ansible_user_dir }}/zuul-output/logs/docker" + path: "{{ ansible_user_dir }}/zuul-output/logs/{{ container_command }}" state: directory - name: Save container logs loop: "{{ docker_containers.stdout_lines | default([]) }}" - shell: "docker logs {{ item }} &> {{ ansible_user_dir }}/zuul-output/logs/docker/{{ item }}.txt" + shell: "{{ container_command }} logs {{ item }} &> {{ ansible_user_dir }}/zuul-output/logs/{{ container_command }}/{{ item }}.txt" args: executable: /bin/bash ignore_errors: true - name: Open container logs permissions file: - dest: "{{ ansible_user_dir }}/zuul-output/logs/docker" + dest: "{{ ansible_user_dir }}/zuul-output/logs/{{ container_command }}" mode: u=rwX,g=rX,o=rX recurse: yes diff --git a/test-playbooks/registry/test-registry-pre.yaml b/test-playbooks/registry/test-registry-pre.yaml index ad2e4df4e..1672f85a0 100644 --- a/test-playbooks/registry/test-registry-pre.yaml +++ b/test-playbooks/registry/test-registry-pre.yaml @@ -4,10 +4,11 @@ # though that obviously happens in configuration management rather # than a job). - hosts: builder:intermediate-registry - name: Set up docker and iptables configuration for registry hosts - roles: - - install-docker + name: "Set up container system and iptables configuration for registry hosts" tasks: + - name: Install container system + include_role: + name: "install-{{ container_command }}" - name: Open the IPv4 port for the buildset registry become: true iptables: diff --git a/test-playbooks/registry/test-registry.yaml b/test-playbooks/registry/test-registry.yaml index c85ae8ea5..408629c61 100644 --- a/test-playbooks/registry/test-registry.yaml +++ b/test-playbooks/registry/test-registry.yaml @@ -13,8 +13,6 @@ - name: Run the intermediate registry include_role: name: run-test-intermediate-registry - apply: - become: true - name: Install the intermediate registry cert include_role: name: install-registry-cert @@ -25,17 +23,18 @@ - name: Set up user credentials for the intermediate registry include_role: name: intermediate-registry-user-config - - name: Build a docker image for the previous build + - name: "Build a container image for the previous build" include_role: - name: build-docker-image + name: "build-{{ (container_command == 'docker') | ternary('docker', 'container') }}-image" vars: docker_images: - context: test-playbooks/registry/docker repository: "{{ previous_build_repository }}" + container_images: "{{ docker_images }}" - name: Tag the previous build - command: "docker tag {{ previous_build_repository }}:latest localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest" + command: "{{ container_command }} tag {{ previous_build_repository }}:latest localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest" - name: Push the previous build to the intermediate registry - command: "docker push localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest" + command: "{{ container_command }} push localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest" # This is also essentially pre-configuration for the real test of the # roles. This sets up a fake executor (since we can't run the @@ -112,16 +111,16 @@ - name: Include previous build vars include_vars: vars/previous-build.yaml - name: Pull the previous build from buildset registry to the builder host - command: "docker pull {{ previous_build_repository }}:latest" - - name: Show local docker images for debugging - command: "docker image ls" + command: "{{ container_command }} pull {{ previous_build_repository }}:latest" + - name: "Show local container images for debugging" + command: "{{ container_command }} image ls" - name: Verify previously built image is in buildset registry - command: "docker image inspect {{ previous_build_repository }}:latest" + command: "{{ container_command }} image inspect {{ previous_build_repository }}:latest" # Back to straightforward use of the roles under test. - hosts: builder - name: Test building a docker image + name: Test building a container image tasks: - name: Create fake sibling projects @@ -133,7 +132,7 @@ - name: Build docker image include_role: - name: build-docker-image + name: "build-{{ (container_command == 'docker') | ternary('docker', 'container') }}-image" vars: docker_images: - context: test-playbooks/registry/docker @@ -141,6 +140,7 @@ siblings: - opendev.org/fake-sibling-1 - opendev.org/fake-sibling-2 + container_images: "{{ docker_images }}" - hosts: executor name: Test pushing to the intermediate registry @@ -154,6 +154,7 @@ docker_images: - context: playbooks/registry/docker repository: downstream/image + container_images: "{{ docker_images }}" # And finally an external verification step. diff --git a/test-playbooks/registry/vars/intermediate-registry-auth.yaml b/test-playbooks/registry/vars/intermediate-registry-auth.yaml index d75651af2..34f2e78fc 100644 --- a/test-playbooks/registry/vars/intermediate-registry-auth.yaml +++ b/test-playbooks/registry/vars/intermediate-registry-auth.yaml @@ -3,56 +3,59 @@ intermediate_registry: port: 5000 username: "zuul" password: dQI83awO8Akuw0WU +# openssl req -x509 -newkey rsa:2048 -keyout cert.key -out cert.pem -days 365 -nodes -subj '/C=US/ST=California/L=Oakland/O=Company Name/OU=Org/CN=zuul-jobs.intermediate-registry' -addext 'subjectAltName = DNS:zuul-jobs.intermediate-registry,DNS:localhost,IP:127.0.0.1' intermediate_registry_tls_key: | -----BEGIN PRIVATE KEY----- - MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDYkpjfIz7bziCa - mFrWqQ84ldeAs2jvSKs2JG0RhYNNLokr2AU/5TUvqtAisyyd5AX5dBHQ7u/7Vgmj - towt7loFfAG/2/rpdSGi2Njx11roBUoDsjwdE9w3aNnrDvOCyJcepx5TWYS86+vZ - IqodvdnuoWTk9VuolWfHsCgPRQV4uwMbIC5kbv2o4FORsOEzbuRfCEX9UTcAMEGg - K/m/kM/valkrYeBbLILsOcivg4Jh0m+PFC7NTcQFo+uwpZzZvlNtVbmQ3LqkHDAE - KDK94uBcQtdYjvvl6UZ+pNo+puD9iakYtcpQFuU8rpavMLE87+SuPVgi2Rk6QtTz - OAP2mDMJAgMBAAECggEBANM9MfS7WQ1mIXEI19l2roz/wmIbHGgAllbJ8sRbWLWI - hW0JWB15gIYM8tRVtVgP2C/3IYWL+PFKez5+yH3odU/SI5ayhyr8/6DqJ7jD2Dxl - JEs0puOpwmsdTyixvZy78IKKeM7NiuYGq1VwNUOrMQ1LyLB2DUAC8mXYkUpLhUm6 - O4wVaGie7XwMOJazRs66ceU9k7Nuv3b57yc3PN2bzTqYUVjmJ1XeuAiBJaAeHts6 - NfG1+vO9xLXIRTRWvDGKByNsYJJLLPOXZkQZZFYYe8TTduxyCmZgShY6sZmmnWua - cAdBL6b/5B3PZ2SkhdLHklaZmH8PTeAoqI2RDz/8eIECgYEA8gofU8LrK1Xjgrig - ItQxYxqZCrggm9lMMcaADc7u3nff68NyImZ5bSXhvZCu74cAIMx12HbU1UvSCsQ4 - /cncHrlBOzG529878+iWgiUrJ29GsQiHGj+qHA4qGBSP0Qan7ISunskj4GezTeHd - /A3oTn5rLuld9V++647O35lXArkCgYEA5RBwV5nle49UT38hNqL/K+TUX5oZJXB8 - Xl9FT1L799toHUPEWEkSpf7Suf1hDwv6+tsIPO6tN7YirxK390JRxPaT948J8n1d - TkurGDs1uwLQdUWgXIwvQ8ms+8rYvTU7vg2hI7/BZhH09LmGCiYSwnem0QYXjGnc - kk56VeExytECgYBmBDw2Ctcied4eEAF3DKcQVXqiGP+tkMZbyIXazBjEbhRUhBmM - RFLz3V6rjtsdHHLCYEtfhJ6qlH2gihpXZgjAbmb/MzNaaFoVsTgW/OGWioFqRuTi - /GiP0KyPX8NKYBrRRw9u3+qeQDdEIWp2Pcpno0M8D6LJtKR9FsE9X51cCQKBgQCs - 8u5/ldjoo91acHhZUlQrhgi7bhQSao3ciz4/mD5ac7R2dBYpOnL0FiRw/VhtDfSf - twTPTL5IVCJ34UA5Vj964VnzDnLKPdFXLlauYvY8jvFpufpMJiQBoKIVMqDWqvzC - kHPcFAon0OMMa49C1mBPqBuxslHRWJSLeulvMipwIQKBgDFzDTH49cmKP8YQmCuT - vC5PJJ+hutbf/dOVJuOZ5KlKwnRkbMwoamYKrkjgmWMBgtzyz12/a46lZ58ul4xW - 1fKw/nx8uQcbnKnigyjsAUzI9FgBR4d10cYdxPlfYVmj4TAUA3os5Gu6VKySy6SV - xuHEIA6nFsXLXGBu25vI5tEv + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC46dQ/20Zsjel3 + 7D2F+9+9WqslsIWfiP+zsqsz+/K5ngkdYyBEjYCBAUoLmGY/6/HkvZRBYE79R2FK + gjKIIo/bElKI4H6jq2nke5No+nroPXRlFh7wu0yP+U3P6pSaaDKJuJ5mMXxcboZE + z8TyjRs1+RaFo+walNNfcA/ZOg8JRWV5Fe4JBw7GjgR6GH265h6zppakg801rFXV + zbf9sCRz7ic3vpNywGgz8klwqQVR3H1GlZ5zvlDr6/lPin+YwlXRd1wgRfFIima9 + K+IU+nymnBExInO5AyomolpN+bn4bnrx6q2l/FKWvEssVKZPPjT8v7lbzBiXxvb2 + AKYmNjL5AgMBAAECggEARnqBNpGKBwgT62x0iqPUxGRRhT0BwSvDYieAT4EBI7RT + fwrwGpDgYMswALlmh4iTmv6TClP951WUhISZY//gWrxiDt+aBSHpa3eaWNHXlLsP + qRPEWTbaWKnJ+axMVYnPcWSXoxXLc6OAs6uJQnV74Jd++RLgg8Ujx2V79OzHHF3c + AwwH1NHHWXPaxrItB+nLiV0Q9eQh5nibW12IFmyknYaAeYmanzVwDplBubtsS1T3 + X1kjUUaG58qCT/XyyM4YvagaDyy75T6J4XYnRsV7b/FKwc8FuF0vgbI+yY3B8nrz + h4z14QLNvNmUiGbkJRpDzKQb/BeWvT/GPXzvD2ObHQKBgQDfrxIiO4bWa+IjJNSn + FySIBBoKzh70LC8ElQ8AkrzjeucgtPQIY0zJcdT9nhAcS4mYqw4tp1snhm9mbyuB + huF83MwNFJ/O46IrWWpji0fXKQGgmPNex7yDGHYaVAE/nbzajGXXlGB1+w3tHCvM + 1fxKxtLURHNtjfDBZUqDcz+PhwKBgQDToNXiMo5fKc3PninxaHrjnDQmDxk5t1y6 + hEOTJf12BJDw4syh3YzxFcAH0CA47OTy7o7dMZVt5RZ53XKR5fbYfKD7KGX/claw + sfutpskuVgFj4pnwShylFB6dQueFiHcWHf/DjMJmKyNM1dxzZcfqnH6P7FZaiYoW + eoLdy1vJfwKBgQCtTL845HOgNq9aWROkbQqxkrP2gSF8Pasj2rRn1kgf2j2tmmSj + BwQb4mSJJegHdAKj1ItEla/K3J38d872KGEU0yAIVl1F9hjTixAhFWzQZwXKvhV3 + 7jnAO7hsx368IeKKVFInBt8BKUPt23CX34X7DTWUnX/sdhb8TxS+6RBqiwKBgQCF + 3GAtuejQTPL/9n11U68XtcBOqpI8Lb2bxPmxZABU3EKJ/AuP/0GdZTKYPo+DMmUH + PNplE23/mz6CSw6jNqDTAtIYy87oq3wmPA6EItFyW7h5Y+YXVemUiYtr0dv8XPtm + pAcZvDliwrqLaWMOIz03K1Hq24Urs4ADA+8vN+iRJQKBgQCtNXP4sTXjRhO+leiM + 3YXc/qBof9TNlMcKS0g6C0s/+KFZ1CG3DbN0CizDCxqYWedOB7CKWklmfg7ENEhL + NI6NTo10Q376UZE1+TmaWjGdIdvaxDnUeabSeqUXQxinWOS1pGzMgwXULw1BMLCq + Zy9ZnBgOFe2NJl4U7EN8Xdmfrw== -----END PRIVATE KEY----- intermediate_registry_tls_cert: | -----BEGIN CERTIFICATE----- - MIIDtDCCApygAwIBAgIJANpxowfzYw4vMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV - BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX - aWRnaXRzIFB0eSBMdGQxKDAmBgNVBAMMH3p1dWwtam9icy5pbnRlcm1lZGlhdGUt - cmVnaXN0cnkwHhcNMTkwNTMwMjAwOTQxWhcNMzkwNTI1MjAwOTQxWjBvMQswCQYD - VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg - V2lkZ2l0cyBQdHkgTHRkMSgwJgYDVQQDDB96dXVsLWpvYnMuaW50ZXJtZWRpYXRl - LXJlZ2lzdHJ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2JKY3yM+ - 284gmpha1qkPOJXXgLNo70irNiRtEYWDTS6JK9gFP+U1L6rQIrMsneQF+XQR0O7v - +1YJo7aMLe5aBXwBv9v66XUhotjY8dda6AVKA7I8HRPcN2jZ6w7zgsiXHqceU1mE - vOvr2SKqHb3Z7qFk5PVbqJVnx7AoD0UFeLsDGyAuZG79qOBTkbDhM27kXwhF/VE3 - ADBBoCv5v5DP72pZK2HgWyyC7DnIr4OCYdJvjxQuzU3EBaPrsKWc2b5TbVW5kNy6 - pBwwBCgyveLgXELXWI775elGfqTaPqbg/YmpGLXKUBblPK6WrzCxPO/krj1YItkZ - OkLU8zgD9pgzCQIDAQABo1MwUTAdBgNVHQ4EFgQU00qH9bMUPRacZwgvBgczgR8Z - 424wHwYDVR0jBBgwFoAU00qH9bMUPRacZwgvBgczgR8Z424wDwYDVR0TAQH/BAUw - AwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHEX2Tw19w5okaJ+6gHMFjA338ffwU9n5 - 2piBMypbYr50yyPyUaTmz4SIBsTLkIWu00a0pdo9pqZDnv1KwxtJtP4o4qQXhMd4 - Ve3FFF+6AMaOy5y5+hRkE8iHOOik/rNPFqkVDatNGuOMSNYO/jUFXc+C6Ol7gM/J - edyWaafjQbvdKapKPbdP4Y69R8OlRTNK1lJMIGJrsCdaeaK4EpLpbJPHnagIMdmQ - HDsTf978weRrjJ4JEODTabsKVHKyx0GBwe8CmR0NzpfO2ORCyNUO1rLK2rzh5YTQ - qKGyfY0DAyiSHxKaUeGiskc4/WMxaYv2FzD63Xvzmot9atSwCMjN1A== + MIIEKDCCAxCgAwIBAgIUWVQQugUNh53VhvVfb3S49zw3GvgwDQYJKoZIhvcNAQEL + BQAwgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRAwDgYDVQQH + DAdPYWtsYW5kMRUwEwYDVQQKDAxDb21wYW55IE5hbWUxDDAKBgNVBAsMA09yZzEo + MCYGA1UEAwwfenV1bC1qb2JzLmludGVybWVkaWF0ZS1yZWdpc3RyeTAeFw0xOTEx + MjExODQ5MjhaFw0yMDExMjAxODQ5MjhaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UE + CAwKQ2FsaWZvcm5pYTEQMA4GA1UEBwwHT2FrbGFuZDEVMBMGA1UECgwMQ29tcGFu + eSBOYW1lMQwwCgYDVQQLDANPcmcxKDAmBgNVBAMMH3p1dWwtam9icy5pbnRlcm1l + ZGlhdGUtcmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4 + 6dQ/20Zsjel37D2F+9+9WqslsIWfiP+zsqsz+/K5ngkdYyBEjYCBAUoLmGY/6/Hk + vZRBYE79R2FKgjKIIo/bElKI4H6jq2nke5No+nroPXRlFh7wu0yP+U3P6pSaaDKJ + uJ5mMXxcboZEz8TyjRs1+RaFo+walNNfcA/ZOg8JRWV5Fe4JBw7GjgR6GH265h6z + ppakg801rFXVzbf9sCRz7ic3vpNywGgz8klwqQVR3H1GlZ5zvlDr6/lPin+YwlXR + d1wgRfFIima9K+IU+nymnBExInO5AyomolpN+bn4bnrx6q2l/FKWvEssVKZPPjT8 + v7lbzBiXxvb2AKYmNjL5AgMBAAGjgZEwgY4wHQYDVR0OBBYEFCXcx6YJW0L1JMSA + rQDbbc9LyQN3MB8GA1UdIwQYMBaAFCXcx6YJW0L1JMSArQDbbc9LyQN3MA8GA1Ud + EwEB/wQFMAMBAf8wOwYDVR0RBDQwMoIfenV1bC1qb2JzLmludGVybWVkaWF0ZS1y + ZWdpc3RyeYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBMQR4u + bcdeS6ML/X/BLh3HBjWf0DYobU5GVBoMC9c+L9Fxh82ck/CAK3Oeozr9iHFu5YLj + OsJWlAbRl0Getz7HOnVH9rMyL/ac9c99CKixjY1Vsf49x1itpOQULoZ+zJixFROk + 07KhnkaqsYs4SIfDSoa18UmBROEVT2y7yT0uYAwyxwMtZVJWUg7L9OuxPE/tMB0/ + NyNwMzhdKBL0V54rXH0dxOQ0yE5mGkaOOgKS5x43r78xRRNZ3JM5iRj3S0P75Nbg + YDvkkOd0Pf+5UPBJyc4wh5TA+vOrU63lKa6RwIWIbA+xXJn5WJQFoQOjO2dCcEka + 8p2tutWB2+G+3F12 -----END CERTIFICATE----- -#intermediate_registry_tls_chain diff --git a/test-playbooks/registry/vars/previous-build.yaml b/test-playbooks/registry/vars/previous-build.yaml index a3ca24821..ad1b74e60 100644 --- a/test-playbooks/registry/vars/previous-build.yaml +++ b/test-playbooks/registry/vars/previous-build.yaml @@ -2,7 +2,7 @@ # buildset via provides/requires. This build should be copied from # the intermediate registry to the buildset registry. -previous_build_repository: upstream/image +previous_build_repository: docker.io/upstream/image previous_build_uuid: 48a84fe22a744cb5b0310f396358d912 previous_build_zuul: artifacts: diff --git a/zuul-tests.d/container-roles-jobs.yaml b/zuul-tests.d/container-roles-jobs.yaml index ac888b855..46a291619 100644 --- a/zuul-tests.d/container-roles-jobs.yaml +++ b/zuul-tests.d/container-roles-jobs.yaml @@ -1,5 +1,5 @@ - job: - name: zuul-jobs-test-registry + name: zuul-jobs-test-registry-docker description: | Test the intermediate registry roles. @@ -17,6 +17,38 @@ pre-run: test-playbooks/registry/test-registry-pre.yaml run: test-playbooks/registry/test-registry.yaml post-run: test-playbooks/registry/test-registry-post.yaml + vars: + container_command: docker + nodeset: + nodes: + - name: intermediate-registry + label: ubuntu-bionic + - name: executor + label: ubuntu-bionic + - name: builder + label: ubuntu-bionic + +- job: + name: zuul-jobs-test-registry-podman + description: | + Test the intermediate registry roles. + + This job tests changes to the intermediate registry roles using + podman rather than docker. It is not meant to be used directly + but rather run on changes to roles in the zuul-jobs repo. + files: + - roles/pull-from-intermediate-registry/.* + - roles/push-to-intermediate-registry/.* + - roles/install-podman/.* + - roles/build-container-image/.* + - roles/run-buildset-registry/.* + - roles/use-buildset-registry/.* + - test-playbooks/registry/.* + pre-run: test-playbooks/registry/test-registry-pre.yaml + run: test-playbooks/registry/test-registry.yaml + post-run: test-playbooks/registry/test-registry-post.yaml + vars: + container_command: podman nodeset: nodes: - name: intermediate-registry @@ -52,6 +84,8 @@ pre-run: test-playbooks/registry/buildset-registry-pre.yaml run: test-playbooks/registry/buildset-registry.yaml post-run: test-playbooks/registry/test-registry-post.yaml + vars: + container_command: docker - job: name: zuul-jobs-test-registry-buildset-registry-k8s-docker @@ -74,6 +108,8 @@ post-run: - test-playbooks/registry/buildset-registry-k8s-docker-post.yaml - test-playbooks/registry/test-registry-post.yaml + vars: + container_command: docker - job: name: zuul-jobs-test-install-kubernetes-docker @@ -126,7 +162,8 @@ - project: check: jobs: &id001 - - zuul-jobs-test-registry + - zuul-jobs-test-registry-docker + - zuul-jobs-test-registry-podman - zuul-jobs-test-registry-buildset-registry - zuul-jobs-test-registry-buildset-registry-k8s-docker - zuul-jobs-test-install-kubernetes-docker