openstack/ansible-role-container-registry
Code Issues Proposed changes

Retire Tripleo: remove repo content

Browse Source 
TripleO project is retiring
- https://review.opendev.org/c/openstack/governance/+/905145

this commit remove the content of this project repo

Change-Id: I29fb152050adab2912b2528f304c97ea4534fda4
This commit is contained in:
Ghanshyam Mann 2024-02-24 11:31:06 -08:00
parent a091b9cd21
commit d68e447c4b
40 changed files with 8 additions and 1667 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.ansible-lint
View File

@ -1,8 +0,0 @@
skip_list: # or 'skip_list' to silence them completely
- command-instead-of-shell # Use shell only when shell functionality is required
- experimental # all rules tagged as experimental
- package-latest # Package installs should not use latest
- role-name # Role name {0} does not match ``^[a-z][a-z0-9_]+$`` pattern
exclude_paths:
- zuul.d/

69
.gitignore vendored
View File

@ -1,69 +0,0 @@
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
# C extensions
*.so
# Distribution / packaging
.Python
env/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
sdist/
var/
container_registry.egg-info/
.installed.cfg
*.egg
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*,cover
# Translations
*.mo
*.pot
# Django stuff:
*.log
# Sphinx documentation
doc/build/
# PyBuilder
target/
# virtualenv
.venv/
# jenkins config
jenkins/config.ini
playbooks/debug.yml
# Files created by releasenotes build
releasenotes/build
# Editors
.*.sw[klmnop]

11
.yamllint
View File

@ -1,11 +0,0 @@
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
truthy: disable

176
LICENSE
View File

@ -1,176 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.

162
README.rst
View File

@ -1,156 +1,10 @@
ansible-role-container-registry This project is no longer maintained.
===============================
A role to deploy a container registry and provide methods to login to it. The contents of this repository are still available in the Git
For now, the role only support Docker Registry v2. source code management system. To see the contents of this
The login currently doesn't work with hub.docker.com. repository before it reached its end of life, please check out the
previous commit with "git checkout HEAD^1".
For any further questions, please email
Role Variables openstack-discuss@lists.openstack.org or join #openstack-dev on
-------------- OFTC.
.. list-table:: Variables used for container registry
:widths: auto
:header-rows: 1
* - Name
- Default Value
- Description
* - `container_registry_debug`
- `false`
- Enable debug option in Docker
* - `container_registry_deploy_docker`
- `true`
- Whether or not to deploy Docker
* - `container_registry_deploy_docker_distribution`
- `true`
- Whether or not to deploy Docker Distribution
* - `container_registry_deployment_user`
- `centos`
- User which needs to manage containers
* - `container_registry_docker_options`
- `--log-driver=journald --signature-verification=false --iptables=false --live-restore`
- Options given to Docker configuration
* - `container_registry_docker_disable_iptables`
- `false`
- Adds --iptables=false to /etc/sysconfig/docker-network config
* - `container_registry_insecure_registries`
- `[]`
- Array of insecure registries
* - `container_registry_network_options`
- `[undefined]`
- Docker networking options
* - `container_registry_host`
- `localhost`
- Docker registry host
* - `container_registry_port`
- `8787`
- Docker registry port
* - `container_registry_mirror`
- `[undefined]`
- Docker registry mirror
* - `container_registry_storage_options`
- `-s overlay2`
- Docker storage options
* - `container_registry_selinux`
- `false`
- Whether or not SElinux is enabled for containers
* - `container_registry_additional_sockets`
- `[undefined]`
- Additional sockets for containers
* - `container_registry_skip_reconfiguration`
- `false`
- Do not perform container registry reconfiguration if it's already configured
* - `container_registry_logins`
- `[]`
- A dictionary containing registries and a username and a password associated with the registry.
Example: {'docker.io': {'myusername': 'mypassword'}, 'registry.example.com:8787': {'otheruser': 'otherpass'}}
Requirements
------------
- ansible >= 2.4
- python >= 2.6
Dependencies
------------
None
Example Playbooks
-----------------
Modify Image
~~~~~~~~~~~~
The following playbook will deploy a Docker registry:
.. code-block::
- hosts: localhost
become: true
roles:
- container-registry
License
-------
Apache 2.0
Running local testing
---------------------
Local testing of this role can be done in a number of ways.
Mimic Zuul
~~~~~~~~~~
Sometimes its nessisary to setup a test that will mimic what the OpenStack gate
will do (Zuul). To run tests that minic the gate, `python-virtualenv` `git`,
`gcc`, and `ansible` are required.
.. code-block:: shell
$ sudo yum install python-virtualenv git gcc
Once the packages are installed, create a python virtual environment.
.. code-block:: shell
$ python -m virtualenv --system-site-packages ~/test-python
$ ~/test-python/bin/pip install pip setuptools --upgrade
Now install the latest Ansible
.. code-block:: shell
$ ~/test-python/bin/pip install ansible
With Ansible installed, activate the virtual environment and run the
`run-local.yml` test playbook.
.. code-block:: shell
$ source ~/test-python/bin/activate
(test-python) $ ansible-playbook -i 'localhost,' \
-e "tripleo_src=$(realpath --relative-to="${HOME}" "$(pwd)")" \
-e "ansible_user=${USER}" \
-e "ansible_user_dir=${HOME}" \
-e "ansible_connection=local" \
zuul.d/playbooks/run-local.yml
Running Molecule directly
~~~~~~~~~~~~~~~~~~~~~~~~~
It is also possible to test this role using molecule directly. When running
tests directly it is assumed all of the dependencies are setup and ready to
run on the local workstation. When
.. code-block:: shell
$ molecule test --all

6
ansible-requirements.txt
View File

@ -1,6 +0,0 @@
# These are required here because ansible can't be in global-requirements due
# to licensing conflicts. But we sill need to be able to pull them in for
# lint checks and want to document these as ansible specific things that may
# be required for this repository.
ansible-core<2.12
ansible-lint

12
ansible.cfg
View File

@ -1,12 +0,0 @@
[defaults]
gathering = smart
command_warnings = False
retry_files_enabled = False
callback_whitelist = profile_tasks
# Attempt to load custom modules whether it's installed system-wide or from a virtual environment
roles_path = roles:$VIRTUAL_ENV/usr/share/ansible/roles/container-registry:$VIRTUAL_ENV/usr/local/share/
[ssh_connection]
control_path = %(directory)s/%C

32
bindep.txt
View File

@ -1,32 +0,0 @@
# This file facilitates OpenStack-CI package installation
# before the execution of any tests.
#
# See the following for details:
# - https://docs.openstack.org/infra/bindep/
# - https://opendev.org/opendev/bindep/
#
# Even if the role does not make use of this facility, it
# is better to have this file empty, otherwise OpenStack-CI
# will fall back to installing its default packages which
# will potentially be detrimental to the tests executed.
# The gcc compiler
gcc
# Base requirements for RPM distros
gcc-c++ [platform:rpm]
git [platform:rpm]
libffi-devel [platform:rpm]
openssl-devel [platform:rpm]
python2-dnf [platform:fedora]
python-virtualenv [platform:rpm]
# For SELinux
libselinux-python [platform:rpm]
libsemanage-python [platform:redhat]
# Required for compressing collected log files in CI
gzip
# Required to build language docs
gettext

19
defaults/main.yml
View File

@ -1,19 +0,0 @@
# defaults file for ansible-role-container-registry
container_registry_debug: false
container_registry_deploy_docker: true
container_registry_deploy_docker_distribution: true
container_registry_deployment_user: centos
container_registry_docker_options: '--log-driver=journald --signature-verification=false --iptables=false --live-restore'
container_registry_docker_disable_iptables: false
container_registry_insecure_registries: []
container_registry_network_options: ''
container_registry_host: localhost
container_registry_port: 8787
container_registry_mirror: ''
container_registry_storage_options: '-s overlay2'
container_registry_selinux: false
container_registry_additional_sockets: []
container_registry_skip_reconfiguration: false
container_registry_logins: {}
container_registry_cleanup_client: false

60
handlers/main.yml
View File

@ -1,60 +0,0 @@
---
- name: restart docker
command: /bin/true
notify:
- Docker | reload systemd
- Docker | reload docker
- Docker | pause while Docker restarts
- Docker | wait for docker
listen: "restart docker service"
- name: restart docker-distribution
command: /bin/true
notify:
- Docker | reload systemd
- Docker | reload docker-distribution
listen: "restart docker-distribution service"
- name: Docker | reload systemd
systemd:
daemon_reload: yes
become: true
when: ansible_facts['service_mgr'] == 'systemd'
- name: Docker | reload docker
service:
name: docker
state: restarted
become: true
- name: Docker | pause while Docker restarts
pause:
seconds: 10
prompt: "Waiting for docker restart"
- name: Docker | wait for docker
command: /usr/bin/docker images
register: docker_ready
retries: 10
delay: 5
until: docker_ready.rc == 0
- name: Docker | reload docker-distribution
service:
name: docker-distribution
state: restarted
notify:
- Docker | wait for registry
become: true
# NOTE(bogdando): import caveats https://github.com/ansible/ansible/issues/42621
- name: Docker | wait for registry
uri:
# Just checking API version should be fine
# https://docs.docker.com/registry/spec/api/#api-version-check
url: "http://{{ container_registry_host }}:{{ container_registry_port }}/v2/"
return_content: yes
register: registry_status
retries: 10
delay: 5
until: "registry_status.status|int == 200 and 'OK' in registry_status.msg"

19
meta/main.yml
View File

@ -1,19 +0,0 @@
galaxy_info:
role_name: container-registry
author: tripleo
description: A role to deploy a container registry.
license: Apache 2.0
min_ansible_version: 2.4
platforms:
- name: EL
versions:
- 7
galaxy_tags:
- docker
- registry
dependencies: []

9
molecule-requirements.txt
View File

@ -1,9 +0,0 @@
ansible
ansi2html
docker
pytest
pytest-cov
pytest-html
pytest-xdist
mock
molecule>=3.0,<3.1

50
molecule/default/molecule.yml
View File

@ -1,50 +0,0 @@
---
driver:
name: delegated
options:
managed: false
login_cmd_template: >-
ssh
-o UserKnownHostsFile=/dev/null
-o StrictHostKeyChecking=no
-o Compression=no
-o TCPKeepAlive=yes
-o VerifyHostKeyDNS=no
-o ForwardX11=no
-o ForwardAgent=no
{instance-default}
ansible_connection_options:
ansible_connection: ssh
log: true
platforms:
- name: instance-default
provisioner:
name: ansible
config_options:
defaults:
fact_caching: jsonfile
fact_caching_connection: /tmp/molecule/facts
inventory:
hosts:
all:
hosts:
instance-default:
ansible_host: localhost
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
scenario:
name: default
test_sequence:
- prepare
- converge
- verify
verifier:
name: testinfra

27
molecule/default/playbook.yml
View File

@ -1,27 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
become: true
hosts: all
tasks:
- name: Test ansible-role-container-registry
include_role:
name: ansible-role-container-registry
vars:
container_registry_deploy_docker: true
container_registry_deploy_docker_distribution: true

34
molecule/default/prepare.yml
View File

@ -1,34 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
become: true
gather_facts: true
pre_tasks:
- name: set basic user fact
set_fact:
ansible_user: "{{ lookup('env', 'USER') }}"
when:
- ansible_user is undefined
- name: set basic home fact
set_fact:
ansible_user_dir: "{{ lookup('env', 'HOME') }}"
when:
- ansible_user_dir is undefined

50
molecule/login/molecule.yml
View File

@ -1,50 +0,0 @@
---
driver:
name: delegated
options:
managed: false
login_cmd_template: >-
ssh
-o UserKnownHostsFile=/dev/null
-o StrictHostKeyChecking=no
-o Compression=no
-o TCPKeepAlive=yes
-o VerifyHostKeyDNS=no
-o ForwardX11=no
-o ForwardAgent=no
{instance-login}
ansible_connection_options:
ansible_connection: ssh
log: true
platforms:
- name: instance-login
provisioner:
name: ansible
config_options:
defaults:
fact_caching: jsonfile
fact_caching_connection: /tmp/molecule/facts
inventory:
hosts:
all:
hosts:
instance-login:
ansible_host: localhost
ansible_user: zuul
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
scenario:
test_sequence:
- prepare
- converge
- verify
verifier:
name: testinfra

195
molecule/login/playbook.yml
View File

@ -1,195 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
####
# Testing that the role fails with information when we are not passing
# credentials for the login
#
- name: Ensure role checks for missing information
hosts: all
tasks:
- name: Test role failed false
set_fact:
role_failed: false
- name: ensure role fails when credentials missing
block:
- name: ensure role fails when credentials missing
include_role:
name: ansible-role-container-registry
tasks_from: registry-login
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
rescue:
- name: Test role failed true
set_fact:
role_failed: true
- name: assert on missing credentials
assert:
that: role_failed != false
fail_msg: Role did not fail and it should have while passing no credential
success_msg: Role failed correctly while passing no credentials
#####
# We don't want to pollute the host by installing packages that
# should be installed elsewhere and maybe from different repository
# Here we test that we are removing any client package after installing it
# As sometimes the package is installed before we run this role, we are also
# testing that we are removing packages if and only if we were the ones
# installing it.
#
- name: Check role behaviour with docker installation
hosts: instance-login
vars:
docker_login_cache: /root/.docker/config.json
docker_socket: /var/run/docker.sock
container_registry_logins:
localhost:5000:
testuser: testpassword
tasks:
- name: preinstall docker
become: true
package:
name: docker
state: present
- name: Include role with docker preinstalled
include_role:
name: ansible-role-container-registry
tasks_from: install-engine
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
- name: remove clients with docker preinstalled
include_role:
name: ansible-role-container-registry
tasks_from: cleanup-engine
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
container_registry_cleanup_client: true
- name: Check if tasks removed docker and it shouldn't
assert:
that:
- remove_docker is not defined or remove_docker is skipped
fail_msg: Role removed docker when it shouldn't have
success_msg: Role correctly left docker as it was installed before
- name: remove docker
become: true
package:
name: docker
state: absent
- name: Install client without docker preinstalled
include_role:
name: ansible-role-container-registry
tasks_from: install-engine
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
- name: Cleanup client without docker preinstalled
include_role:
name: ansible-role-container-registry
tasks_from: cleanup-engine
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
container_registry_cleanup_client: true
- name: Check if tasks removed docker
assert:
that:
- remove_docker is defined
fail_msg: Role did not remove docker when it should have
success_msg: Role correctly removed docker as it was not present before call
####
# This play tests that docker is chosen in centos7 and the login successfully
# created a auth cache file
# it also ensure that docker deamon is still running after we remove the client
#
- name: Test login behaviour in centos7
hosts: instance-login
vars:
docker_login_cache: /root/.docker/config.json
docker_socket: /var/run/docker.sock
container_registry_logins:
localhost:5000:
testuser: testpassword
tasks:
- name: include container registry role
include_role:
name: ansible-role-container-registry
tasks_from: registry-login
- name: check credentials file
become: true
stat:
path: "{{ docker_login_cache }}"
register: cache_file
- block:
- name: assert on file existence
assert:
that:
- cache_file.stat.exists
fail_msg: Credential file was not created
success_msg: Credential file correctly present
failed_when: false
rescue:
- name: rescue
debug:
msg: noop
- name: Verify credentials can be used
block:
- name: create build dir
file:
path: /tmp/tempimage
state: directory
mode: 0755
- name: create Dockerfile
copy:
content: |
FROM scratch
ADD nothing /
dest: /tmp/tempimage/Dockerfile
mode: 0644
- name: Build test image
become: true
shell: |
cd /tmp/tempimage
touch nothing
docker build -t localhost:5000/test/testimage:v1 .
changed_when: true
register: build
- name: Verify authenticated push works
become: true
shell: |
docker push localhost:5000/test/testimage:v1
changed_when: true
- name: Cleanup
include_role:
name: ansible-role-container-registry
tasks_from: cleanup-engine
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
container_registry_cleanup_client: true

63
molecule/login/prepare.yml
View File

@ -1,63 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
become: true
gather_facts: true
pre_tasks:
- name: set basic user fact
set_fact:
ansible_user: "{{ lookup('env', 'USER') }}"
when:
- ansible_user is undefined
- name: set basic home fact
set_fact:
ansible_user_dir: "{{ lookup('env', 'HOME') }}"
when:
- ansible_user_dir is undefined
- name: include container registry role
include_role:
name: ansible-role-container-registry
tasks_from: docker
tasks:
- name: Install docker-sdk
pip:
name: docker
virtualenv: "{{ ansible_user_dir }}/test-python"
virtualenv_site_packages: true
- name: Ensure htpasswd exists
package:
name: httpd-tools
state: present
- name: Create a docker registry
become: true
shell: |-
docker pull ubuntu:16.04
docker tag ubuntu:16.04 localhost:5000/my-ubuntu
mkdir auth
htpasswd -Bbn testuser testpassword > auth/htpasswd
docker container stop registry
docker run -d -p 5000:5000 --restart=always --name registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2
args:
creates: /root/auth/htpasswd

2
requirements.txt
View File

@ -1,2 +0,0 @@
pbr>=1.6
ansible-core<2.12

38
setup.cfg
View File

@ -1,38 +0,0 @@
[metadata]
name = ansible-role-container-registry
summary = ansible-container-registry - Ansible role to deploy a container registry
description_file =
README.rst
author = TripleO Team
author_email = emilien@redhat.com
home_page = https://opendev.org/openstack/ansible-role-container-registry
classifier =
License :: OSI Approved :: Apache Software License
Development Status :: 4 - Beta
Intended Audience :: Developers
Intended Audience :: System Administrators
Intended Audience :: Information Technology
Topic :: Utilities
[global]
setup_hooks =
pbr.hooks.setup_hook
[files]
data_files =
share/ansible/roles/container-registry/defaults = defaults/*
share/ansible/roles/container-registry/handlers = handlers/*
share/ansible/roles/container-registry/meta = meta/*
share/ansible/roles/container-registry/tasks = tasks/*
share/ansible/roles/container-registry/templates = templates/*
share/ansible/roles/container-registry/tests = tests/*
share/ansible/roles/container-registry/vars = vars/*
share/ansible/roles/container-registry/files = files/*
[wheel]
universal = 1
[pbr]
skip_authors = True
skip_changelog = True

20
setup.py
View File

@ -1,20 +0,0 @@
# Copyright Red Hat, Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import setuptools
setuptools.setup(
setup_requires=['pbr'],
py_modules=[],
pbr=True)

17
tasks/cleanup-engine.yml
View File

@ -1,17 +0,0 @@
- name: Cleanup Engine
block:
- name: Remove docker
package:
name:
- docker
state: absent
register: remove_docker
when:
- container_registry_docker_install is defined
- container_registry_docker_install is changed
rescue:
- name: Failed removing docker
debug:
msg: "unable to remove docker"
become: true

45
tasks/docker-distribution.yml
View File

@ -1,45 +0,0 @@
---
# tasks file for ansible-role-container-registry
- name: ensure docker-distribution is installed
package:
name: docker-distribution
state: present
become: true
register: _distro_install
- name: manage /etc/docker-distribution/registry/config.yml
template:
src: docker-distribution-config.yml.j2
dest: /etc/docker-distribution/registry/config.yml
mode: '0644'
become: true
register: _distro_config
notify: restart docker-distribution service
- name: Handle docker-distribution restart
become: true
when: _distro_install is changed or _distro_config is changed
block:
- name: Reload systemd
systemd:
daemon_reload: yes
become: true
- name: Reload docker-distribution
service:
enabled: true
name: docker-distribution
state: restarted
become: true
# NOTE(bogdando): import caveats https://github.com/ansible/ansible/issues/42621
- name: Wait for registry
uri:
# Just checking API version should be fine
# https://docs.docker.com/registry/spec/api/#api-version-check
url: "http://{{ container_registry_host }}:{{ container_registry_port }}/v2/"
return_content: yes
register: registry_status
retries: 10
delay: 5
until: "registry_status.status|int == 200 and 'OK' in registry_status.msg"

13
tasks/docker-login.yml
View File

@ -1,13 +0,0 @@
---
# tasks file for ansible-role-container-registry
- name: perform docker login
become: true
docker_login:
username: "{{ lookup('dict', item.value).key }}"
password: "{{ lookup('dict', item.value).value }}"
registry: "{{ item.key }}"
loop: "{{ query('dict', container_registry_logins | default({})) }}"
no_log: "{{ not container_registry_debug|bool }}"
when: container_registry_logins | length > 0

50
tasks/docker-update.yml
View File

@ -1,50 +0,0 @@
---
# tasks file for ansible-role-container-registry
# the tasks will ensure docker is up to date.
- block:
- name: set package manager to yum
set_fact:
registry_pkg_manager: yum
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version']|int == 7
- name: set package manager to dnf
set_fact:
registry_pkg_manager: dnf
when: (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 7) or (ansible_facts['distribution'] == 'Fedora')
- name: can docker be updated
shell: "{{ registry_pkg_manager }} check-update docker"
register: docker_check_update
failed_when: docker_check_update.rc not in [0, 100]
changed_when: docker_check_update.rc == 100
- name: set docker_rpm_needs_update fact
set_fact: docker_rpm_needs_update={{ docker_check_update.rc == 100 }}
- name: ensure docker is installed
package:
name: docker
state: present
when: docker_rpm_needs_update
- name: update the docker package (yum)
yum: name=docker state=latest update_cache=yes # cache for https://bugs.launchpad.net/tripleo/+bug/1703830
notify: restart docker service
when:
- docker_rpm_needs_update
- registry_pkg_manager == 'yum'
- name: update the docker package (dnf)
dnf: name=docker state=latest
notify: restart docker service
when:
- docker_rpm_needs_update
- registry_pkg_manager == 'dnf'
# Note(mfedosin): explicitly skip all preceding tasks if we don't need reconfiguration.
when: not container_registry_skip_reconfiguration

194
tasks/docker.yml
View File

@ -1,194 +0,0 @@
---
# tasks file for ansible-role-container-registry
# NOTE(mfedosin): In order to verify that we have already configured docker
# we add a line `# Configured by Ansible container registry role` in
# /etc/sysconfig/docker config file when initial configuration is done,
# and check its existence later.
- name: Check that the configuration mark exists in /etc/sysconfig/docker
command: grep -Fq "# Configured by Ansible container registry role" /etc/sysconfig/docker
register: is_configured
check_mode: false
failed_when: false
changed_when: false
- name: configure docker registry block
when: not container_registry_skip_reconfiguration or is_configured.rc != 0
become: true
block:
# NOTE(aschultz): LP#1750194 - need to set ip_forward before docker starts
# so lets set it before we install the package if we're managing it.
- name: enable net.ipv4.ip_forward
sysctl:
name: net.ipv4.ip_forward
value: 1
sysctl_set: yes
state: present
reload: yes
# NOTE(aschultz): LP#1765121 - need to check that we don't have any ftype=0
# volumes because other wise docker is very unhappy
- name: Check if there are XFS volumes with ftype=0
shell: |
for dev in $(df -h | grep '/dev/' | grep -v 'tmp' | cut -d' ' -f1)
do
parseftype=$(xfs_info $dev | grep ftype=0);
if [[ ! -z "$parseftype" ]]; then
ftype="ftype=0";
break;
fi
done
echo $ftype;
register: ftype
changed_when: false
- name: Check ftype
fail:
msg: >
XFS volumes formatted using ftype=0 are incompatible
with the docker overlayfs driver.
when:
- not ansible_check_mode
- ftype.stdout == 'ftype=0'
- include_tasks: install-engine.yml
- name: manage /etc/systemd/system/docker.service.d
file:
path: /etc/systemd/system/docker.service.d
state: directory
mode: '0755'
when: ansible_facts['service_mgr'] == 'systemd'
- name: unset mountflags
ini_file:
path: /etc/systemd/system/docker.service.d/99-unset-mountflags.conf
section: Service
option: MountFlags
value: '""'
create: yes
mode: '0644'
register: _cfg_flags
when: ansible_facts['service_mgr'] == 'systemd'
- name: configure OPTIONS in /etc/sysconfig/docker
lineinfile:
path: /etc/sysconfig/docker
regexp: '^OPTIONS='
line: "OPTIONS='{{ _full_docker_options }}'"
create: yes
mode: '0644'
register: _cfg_options
- name: configure INSECURE_REGISTRY in /etc/sysconfig/docker
lineinfile:
path: /etc/sysconfig/docker
regexp: '^INSECURE_REGISTRY='
line: "INSECURE_REGISTRY='{{ registry_flags }}'"
mode: '0644'
when: container_registry_insecure_registries | length > 0
register: _cfg_insecure
vars:
registry_flags: --insecure-registry {{ container_registry_insecure_registries | join(' --insecure-registry ') }}
- name: Create additional socket directories
file:
path: "{{ item | dirname }}"
state: directory
mode: '0755'
register: _cfg_sockets
with_items: "{{ container_registry_additional_sockets }}"
when: container_registry_additional_sockets | length > 0
- name: manage /etc/docker/daemon.json
template:
src: docker-daemon.json.j2
dest: /etc/docker/daemon.json
mode: '0644'
register: _cfg_daemon
- name: configure DOCKER_STORAGE_OPTIONS in /etc/sysconfig/docker-storage
lineinfile:
path: /etc/sysconfig/docker-storage
regexp: '^DOCKER_STORAGE_OPTIONS='
line: "DOCKER_STORAGE_OPTIONS=' {{ container_registry_storage_options }}'"
create: yes
mode: '0644'
when: container_registry_storage_options | length > 0
register: _cfg_storage
- name: configure DOCKER_NETWORK_OPTIONS in /etc/sysconfig/docker-network
lineinfile:
path: /etc/sysconfig/docker-network
regexp: '^DOCKER_NETWORK_OPTIONS='
line: "DOCKER_NETWORK_OPTIONS=' {{ container_registry_network_options }}'"
create: yes
mode: '0644'
when: container_registry_network_options | length > 0
register: _cfg_network
- name: ensure docker group exists
group:
name: docker
state: present
register: _cfg_group
- name: add deployment user to docker group
user:
name: "{{ container_registry_deployment_user }}"
groups: docker
append: yes
register: _cfg_user
when: container_registry_deployment_user | length > 0
- name: reset ssh connection to pick up docker group
meta: reset_connection
when: _cfg_group is changed or _cfg_user is changed
- name: Handle docker restart
when:
- (_cfg_flags is changed
or _cfg_options is changed
or _cfg_insecure is changed
or _cfg_sockets is changed
or _cfg_daemon is changed
or _cfg_storage is changed
or _cfg_network is changed
or _cfg_group is changed
or _cfg_user is changed)
block:
- name: Reload systemd
systemd:
daemon_reload: yes
become: true
when:
- ansible_facts['service_mgr'] == 'systemd'
- _cfg_flags is changed
- name: Reload docker
service:
name: docker
enabled: true
state: restarted
become: true
- name: Pause while Docker restarts
shell: sleep 10
changed_when: false
- name: Wait for docker
command: /usr/bin/docker images
register: docker_ready
retries: 10
delay: 5
until: docker_ready.rc == 0
changed_when: false
- name: mark docker configured
lineinfile:
path: /etc/sysconfig/docker
line: "# Configured by Ansible container registry role"
insertafter: "^# /etc/sysconfig/docker$"
create: yes
mode: '0644'

30
tasks/install-engine.yml
View File

@ -1,30 +0,0 @@
---
- name: Install and Start Docker
when:
- ansible_facts['distribution'] == "CentOS"
- ansible_facts['distribution_major_version']|int < 8
become: true
block:
- name: Install Docker
package:
name: docker
state: present
register: container_registry_docker_install
# Workaround for https://bugs.launchpad.net/tripleo/+bug/1845166/
- name: Disable docker iptables
when: container_registry_docker_disable_iptables
ini_file:
path: /etc/sysconfig/docker-network
section: null
option: DOCKER_NETWORK_OPTIONS
value: --iptables=false
no_extra_spaces: true
mode: '0644'
- name: Start Docker daemon
service:
name: docker
enabled: true
state: started

9
tasks/main.yml
View File

@ -1,9 +0,0 @@
---
# tasks file for ansible-role-container-registry
- include_tasks: docker.yml
when: container_registry_deploy_docker|bool
- include_tasks: docker-distribution.yml
when: container_registry_deploy_docker_distribution|bool

30
tasks/registry-login.yml
View File

@ -1,30 +0,0 @@
---
# TODO(gcerami): The login process does not work with dockerhub, as dockerhub requires an
# auth API call to pass an email address (aven a fake one)
- name: Fail if credentials are not defined or empty
fail:
msg: "Registry credentials are missing"
when: container_registry_logins|default({}) == {}
- import_tasks: install-engine.yml
- name: Try docker command line for authentication
block:
- name: Login via docker command
become: true
command: >
docker login "{{ item.key }}"
--username "{{ lookup('dict', item.value).key }}"
--password "{{ lookup('dict', item.value).value }}"
loop: "{{ query('dict', container_registry_logins | default({})) }}"
register: registry_login_docker
changed_when: false
rescue:
- name: Failed login
debug:
msg: "Warning: login failed for some credentials while using docker login"
- import_tasks: cleanup-engine.yml
when: container_registry_cleanup_client

6
templates/docker-daemon.json.j2
View File

@ -1,6 +0,0 @@
{
{% if container_registry_mirror != "" %}
"registry-mirrors": ["{{ container_registry_mirror }}"],
{% endif %}
"debug": {{ container_registry_debug|lower }}
}

11
templates/docker-distribution-config.yml.j2
View File

@ -1,11 +0,0 @@
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: {{ container_registry_host }}:{{ container_registry_port }}

2
test-requirements.txt
View File

@ -1,2 +0,0 @@
hacking>=4.0.0,<4.1.0 # Apache-2.0
pyflakes>=2.2.0

2
tests/inventory
View File

@ -1,2 +0,0 @@
localhost

4
tests/test.yml
View File

@ -1,4 +0,0 @@
- hosts: localhost
become: true
roles:
- container-registry

64
tox.ini
View File

@ -1,64 +0,0 @@
[tox]
minversion = 2.0
envlist = docs, linters
skipsdist = True
[testenv]
usedevelop = True
install_command = pip install -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} {opts} {packages}
setenv = VIRTUAL_ENV={envdir}
deps = -r{toxinidir}/test-requirements.txt
whitelist_externals = bash
[testenv:bindep]
basepython = python3
# Do not install any requirements. We want this to be fast and work even if
# system dependencies are missing, since it's used to tell you what system
# dependencies are missing! This also means that bindep must be installed
# separately, outside of the requirements files.
deps = bindep
commands = bindep test
[testenv:pep8]
basepython = python3
commands =
# Run hacking/flake8 check for all python files
bash -c "git ls-files | grep -v releasenotes | xargs grep --binary-files=without-match \
--files-with-match '^.!.*python$' \
--exclude-dir .tox \
--exclude-dir .git \
--exclude-dir .eggs \
--exclude-dir *.egg-info \
--exclude-dir dist \
--exclude-dir *lib/python* \
--exclude-dir doc \
| xargs flake8 --verbose"
[testenv:ansible-lint]
basepython = python3
commands = ansible-lint
[testenv:linters]
basepython = python3
deps =
-r{toxinidir}/test-requirements.txt
-r{toxinidir}/ansible-requirements.txt
commands =
{[testenv:pep8]commands}
{[testenv:ansible-lint]commands}
[testenv:releasenotes]
basepython = python3
whitelist_externals = bash
commands = bash -c ci-scripts/releasenotes_tox.sh
[testenv:venv]
basepython = python3
commands = {posargs}
[flake8]
# E123, E125 skipped as they are invalid PEP-8.
# E265 deals withs paces inside of comments
show-source = True
ignore = E123,E125,E265
builtins = _

1
vars/main.yml
View File

@ -1 +0,0 @@
_full_docker_options: "{% if container_registry_selinux|bool %}--selinux-enabled {% endif %}{% if container_registry_additional_sockets | length > 0 %}-H unix:///run/docker.sock {% for soc in container_registry_additional_sockets %}-H unix://{{ soc }}{% if not loop.last %} {% endif %}{% endfor %}{% endif %} {{ container_registry_docker_options }}"

10
zuul.d/layout.yaml
View File

@ -1,10 +0,0 @@
- project:
check:
jobs:
- openstack-tox-linters
gate:
jobs:
- openstack-tox-linters
post:
jobs:
- publish-openstack-python-branch-tarball

97
zuul.d/playbooks/pre.yml
View File

@ -1,97 +0,0 @@
---
- hosts: all
tasks:
- name: set basic user fact
fail:
msg: >-
The variable `ansible_user` set this option and try again. On the
CLI this can be defined with "-e ansible_user=${USER}"
when:
- ansible_user is undefined
- name: set basic home fact
fail:
msg: >-
The variable `ansible_user_dir` set this option and try again. On
the CLI this can be defined with "-e ansible_user_dir=${HOME}"
when:
- ansible_user_dir is undefined
- name: Set project path fact
set_fact:
container_registry_project_path: "{{ ansible_user_dir }}/{{ zuul.projects['opendev.org/openstack/ansible-role-container-registry'].src_dir }}"
- name: Ensure the user has a .ssh directory
file:
path: "{{ ansible_user_dir }}/.ssh"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "0700"
- name: Create ssh key pair
user:
name: "{{ ansible_user }}"
generate_ssh_key: true
ssh_key_bits: 2048
ssh_key_file: "{{ ansible_user_dir }}/.ssh/id_rsa"
- name: Slurp pub key
slurp:
src: "{{ ansible_user_dir ~ '/.ssh/id_rsa.pub' }}"
register: pub_key
- name: Ensure can ssh to can connect to localhost
authorized_key:
user: "{{ ansible_user }}"
key: "{{ pub_key['content'] | b64decode }}"
- name: Ensure output dirs
file:
path: "{{ ansible_user_dir }}/zuul-output/logs"
state: directory
- name: Get the zuul/zuul-jobs repo
git:
repo: https://opendev.org/zuul/zuul-jobs
dest: "{{ ansible_user_dir }}/zuul-jobs"
version: master
force: true
- name: Ensure virtualenv is installed
include_role:
name: ensure-virtualenv
- name: Set python_v fact to py2 or py3
set_fact:
python_v: "{{ ansible_facts['distribution_major_version'] is version('8', '>=') | ternary('py3', 'py2') }}"
cacheable: true
- name: Install python3-setuptools
package:
name: "python3-setuptools"
state: present
become: true
when: python_v == "py3"
- name: Install python-setuptools
package:
name: "python-setuptools"
state: present
become: true
when: python_v == "py2"
- name: Ensure pbr available
pip:
name: pbr
virtualenv: "{{ ansible_user_dir }}/test-python"
virtualenv_site_packages: true
- name: Setup test-python
pip:
requirements: "{{ container_registry_project_path }}/molecule-requirements.txt"
virtualenv: "{{ ansible_user_dir }}/test-python"
virtualenv_site_packages: true
extra_args: >-
--constraint "{{ container_registry_project_path }}/ansible-requirements.txt"

14
zuul.d/playbooks/run-local.yml
View File

@ -1,14 +0,0 @@
---
- hosts: all
tasks:
- name: set basic zuul fact
set_fact:
zuul:
project:
src_dir: "{{ tripleo_src }}"
ansible_connection: ssh
- import_playbook: pre.yml
- import_playbook: run.yml

14
zuul.d/playbooks/run.yml
View File

@ -1,14 +0,0 @@
---
- hosts: all
environment:
ANSIBLE_LOG_PATH: "{{ ansible_user_dir }}/zuul-output/logs/ansible-execution.log"
tasks:
- name: Run role test job
shell: |-
. {{ ansible_user_dir }}/test-python/bin/activate
molecule test --all
changed_when: true
args:
chdir: "{{ ansible_user_dir }}/{{ zuul.project.src_dir }}"
executable: /bin/bash