use-buildset-registry: support running before docker installed

To accomodate running in a production-simulation environment,
make it safe to run this role on a host before docker is installed.

This also adds support for the new dual-registry configuration
that run-buildset-registry uses.

This removes the region-local proxy from the registry-mirrors
configuration.  Because the buildset registry acts as a pull-through
proxy, the region-local proxy won't be used even if we did include it.
Instead, we should update the run-buildset-registry role to proxy
to the region-local proxy if present.

Change-Id: I21011a3708f17ee61afd0034d90d75e8dc885575

roles/use-buildset-registry/README.rst

@@ -28,3 +28,10 @@ Use this role on any host which should use the buildset registry.
    .. zuul:rolevar:: cert
 
       The (self-signed) certificate used by the registry.
+
+.. zuul:rolevar:: buildset_registry_docker_user
+   :default: {{ ansible_user }}
+
+   The system user to configure to use the docker registry.  The
+   docker configuration file for this user will be updated.  By
+   default, the user Ansible is running as.

roles/use-buildset-registry/tasks/main.yaml

@@ -1,24 +1,52 @@
+- name: Ensure docker directory exists
+  become: yes
+  file:
+    state: directory
+    path: /etc/docker
 - name: Ensure registry cert directory exists
   become: true
   file:
     path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/"
     state: directory
+- name: Ensure push registry cert directory exists
+  become: true
+  file:
+    path: "/etc/docker/certs.d/{{ buildset_registry.push_host }}:{{ buildset_registry.push_port }}/"
+    state: directory
 - name: Write registry TLS certificate
   become: true
   copy:
     content: "{{ buildset_registry.cert }}"
     dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
+- name: Write push registry TLS certificate
+  become: true
+  copy:
+    content: "{{ buildset_registry.cert }}"
+    dest: "/etc/docker/certs.d/{{ buildset_registry.push_host }}:{{ buildset_registry.push_port }}/ca.crt"
+
+# Update daemon config
+- name: Check if docker daemon configuration exists
+  stat:
+    path: /etc/docker/daemon.json
+  register: docker_config_stat
 - name: Load docker daemon configuration
+  when: docker_config_stat.stat.exists
   slurp:
     path: /etc/docker/daemon.json
   register: docker_config
 - name: Parse docker daemon configuration
+  when: docker_config_stat.stat.exists
   set_fact:
     docker_config: "{{ docker_config.content | b64decode | from_json }}"
+- name: Set default docker daemon configuration
+  when: not docker_config_stat.stat.exists
+  set_fact:
+    docker_config:
+      registry-mirrors: []
 - name: Add registry to docker daemon configuration
   vars:
     new_config:
-      registry-mirrors: "['https://{{ buildset_registry.host }}:{{ buildset_registry.port}}/'] + {{ docker_config['registry-mirrors'] }}"
+      registry-mirrors: "['https://{{ buildset_registry.host }}:{{ buildset_registry.port}}/']"
   set_fact:
     docker_config: "{{ docker_config | combine(new_config) }}"
 - name: Save docker daemon configuration
@@ -26,14 +54,24 @@
     content: "{{ docker_config | to_nice_json }}"
     dest: /etc/docker/daemon.json
   become: true
+
 - name: Restart docker daemon
   service:
     name: docker
     state: restarted
   become: true
-- name: Log in to registry
-  command: "docker login -u {{ buildset_registry.username }} -p {{ buildset_registry.password }} https://{{ buildset_registry.host }}:{{ buildset_registry.port}}/"
-  register: result
-  until: result.rc ==0
-  delay: 1
-  retries: 120
+  register: docker_restart
+  failed_when: docker_restart is failed and not 'Could not find the requested service' in docker_restart.msg
+
+# We use 'block' here to cause the become to apply to all the tasks
+# (which does not automatically happen with include_tasks).
+- name: Update docker user config to use buildset registry
+  become: true
+  become_user: "{{ buildset_registry_docker_user }}"
+  when: buildset_registry_docker_user is defined
+  block:
+    - include_tasks: user-config.yaml
+- name: Update docker user config to use buildset registry
+  when: buildset_registry_docker_user is not defined
+  block:
+    - include_tasks: user-config.yaml

roles/use-buildset-registry/tasks/user-config.yaml

@@ -0,0 +1,43 @@
+# Update user config
+- name: Ensure docker user directory exists
+  file:
+    state: directory
+    path: "~/.docker"
+    mode: 0700
+- name: Check if docker user configuration exists
+  stat:
+    path: "~/.docker/config.json"
+  register: docker_config_stat
+- name: Load docker user configuration
+  when: docker_config_stat.stat.exists
+  slurp:
+    path: "~/.docker/config.json"
+  register: docker_config
+- name: Parse docker user configuration
+  when: docker_config_stat.stat.exists
+  set_fact:
+    docker_config: "{{ docker_config.content | b64decode | from_json }}"
+- name: Set default docker user configuration
+  when: not docker_config_stat.stat.exists
+  set_fact:
+    docker_config:
+      auths: {}
+- name: Add registry to docker user configuration
+  vars:
+    new_config:
+      auths: |
+        {
+          "https://index.docker.io/v1/":
+            {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
+          "{{ buildset_registry.host }}:{{ buildset_registry.port }}":
+            {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
+          "{{ buildset_registry.push_host }}:{{ buildset_registry.push_port }}":
+            {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}
+        }
+  set_fact:
+    docker_config: "{{ docker_config | combine(new_config, recursive=True) }}"
+- name: Save docker user configuration
+  copy:
+    content: "{{ docker_config | to_nice_json }}"
+    dest: "~/.docker/config.json"
+    mode: 0600