3f01dc11f7
Complete a lingering TODO in run-buildset-registry to use a less guessable password for the intermediate registry service. Timestamps (even with microsecond precision and even running through a hash algorithm) are inherently guessable. Someone watching a console stream of the job could probably narrow down the time that task ran to at least second precision, which then requires at most a million guesses to be able to pollute or otherwise compromise the content jobs are relying on. With reasonable network access and a typical personal computer this is a rather small work factor to overcome. Luckily, the Ansible community maintains an in-tree lookup plugin[*] for strong password generation. Its default is 20 mixed-case letters, numbers and punctuation, so the same length as the truncated hash we're replacing. [*] https://docs.ansible.com/ansible/latest/plugins/lookup/password.html Depends-On: https://review.opendev.org/662870 Change-Id: I66e60f767328cc3af540ec4b755121da989b5e56 |
||
|---|---|---|
| .. | ||
| defaults | ||
| tasks | ||
| README.rst | ||
Runs a docker registry for the use of this buildset.
This may be used for a single job running on a single node, or it may be used at the root of a job graph so that multiple jobs running for a single change can share the registry. Two registry endpoints are provided -- one is a local registry, the second is an upstream proxy.
Role Variables
Return Values
Information about the registry.
The host (IP address) of the registry.
The port on which the registry is listening.
The port on which the proxy is listening.
The username used to access the registry via HTTP basic auth.
The password used to access the registry via HTTP basic auth.
The (self-signed) certificate used by the registry.