diff --git a/roles/use-buildset-registry/README.rst b/roles/use-buildset-registry/README.rst index 415a6ccba..2801477a0 100644 --- a/roles/use-buildset-registry/README.rst +++ b/roles/use-buildset-registry/README.rst @@ -28,3 +28,10 @@ Use this role on any host which should use the buildset registry. .. zuul:rolevar:: cert The (self-signed) certificate used by the registry. + +.. zuul:rolevar:: buildset_registry_docker_user + :default: {{ ansible_user }} + + The system user to configure to use the docker registry. The + docker configuration file for this user will be updated. By + default, the user Ansible is running as. diff --git a/roles/use-buildset-registry/tasks/main.yaml b/roles/use-buildset-registry/tasks/main.yaml index 983e25bc8..e31a622c6 100644 --- a/roles/use-buildset-registry/tasks/main.yaml +++ b/roles/use-buildset-registry/tasks/main.yaml @@ -1,24 +1,52 @@ +- name: Ensure docker directory exists + become: yes + file: + state: directory + path: /etc/docker - name: Ensure registry cert directory exists become: true file: path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/" state: directory +- name: Ensure push registry cert directory exists + become: true + file: + path: "/etc/docker/certs.d/{{ buildset_registry.push_host }}:{{ buildset_registry.push_port }}/" + state: directory - name: Write registry TLS certificate become: true copy: content: "{{ buildset_registry.cert }}" dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt" +- name: Write push registry TLS certificate + become: true + copy: + content: "{{ buildset_registry.cert }}" + dest: "/etc/docker/certs.d/{{ buildset_registry.push_host }}:{{ buildset_registry.push_port }}/ca.crt" + +# Update daemon config +- name: Check if docker daemon configuration exists + stat: + path: /etc/docker/daemon.json + register: docker_config_stat - name: Load docker daemon configuration + when: docker_config_stat.stat.exists slurp: path: /etc/docker/daemon.json register: docker_config - name: Parse docker daemon configuration + when: docker_config_stat.stat.exists set_fact: docker_config: "{{ docker_config.content | b64decode | from_json }}" +- name: Set default docker daemon configuration + when: not docker_config_stat.stat.exists + set_fact: + docker_config: + registry-mirrors: [] - name: Add registry to docker daemon configuration vars: new_config: - registry-mirrors: "['https://{{ buildset_registry.host }}:{{ buildset_registry.port}}/'] + {{ docker_config['registry-mirrors'] }}" + registry-mirrors: "['https://{{ buildset_registry.host }}:{{ buildset_registry.port}}/']" set_fact: docker_config: "{{ docker_config | combine(new_config) }}" - name: Save docker daemon configuration @@ -26,14 +54,24 @@ content: "{{ docker_config | to_nice_json }}" dest: /etc/docker/daemon.json become: true + - name: Restart docker daemon service: name: docker state: restarted become: true -- name: Log in to registry - command: "docker login -u {{ buildset_registry.username }} -p {{ buildset_registry.password }} https://{{ buildset_registry.host }}:{{ buildset_registry.port}}/" - register: result - until: result.rc ==0 - delay: 1 - retries: 120 + register: docker_restart + failed_when: docker_restart is failed and not 'Could not find the requested service' in docker_restart.msg + +# We use 'block' here to cause the become to apply to all the tasks +# (which does not automatically happen with include_tasks). +- name: Update docker user config to use buildset registry + become: true + become_user: "{{ buildset_registry_docker_user }}" + when: buildset_registry_docker_user is defined + block: + - include_tasks: user-config.yaml +- name: Update docker user config to use buildset registry + when: buildset_registry_docker_user is not defined + block: + - include_tasks: user-config.yaml diff --git a/roles/use-buildset-registry/tasks/user-config.yaml b/roles/use-buildset-registry/tasks/user-config.yaml new file mode 100644 index 000000000..24b5e5213 --- /dev/null +++ b/roles/use-buildset-registry/tasks/user-config.yaml @@ -0,0 +1,43 @@ +# Update user config +- name: Ensure docker user directory exists + file: + state: directory + path: "~/.docker" + mode: 0700 +- name: Check if docker user configuration exists + stat: + path: "~/.docker/config.json" + register: docker_config_stat +- name: Load docker user configuration + when: docker_config_stat.stat.exists + slurp: + path: "~/.docker/config.json" + register: docker_config +- name: Parse docker user configuration + when: docker_config_stat.stat.exists + set_fact: + docker_config: "{{ docker_config.content | b64decode | from_json }}" +- name: Set default docker user configuration + when: not docker_config_stat.stat.exists + set_fact: + docker_config: + auths: {} +- name: Add registry to docker user configuration + vars: + new_config: + auths: | + { + "https://index.docker.io/v1/": + {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}, + "{{ buildset_registry.host }}:{{ buildset_registry.port }}": + {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}, + "{{ buildset_registry.push_host }}:{{ buildset_registry.push_port }}": + {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"} + } + set_fact: + docker_config: "{{ docker_config | combine(new_config, recursive=True) }}" +- name: Save docker user configuration + copy: + content: "{{ docker_config | to_nice_json }}" + dest: "~/.docker/config.json" + mode: 0600