Added the infra SOPs ported to asciidoc.
This commit is contained in:
Adam Saleh
parent
8a7f111a12
commit
a0301e30f1
148 changed files with 18575 additions and 17 deletions
82
modules/sysadmin_guide/pages/registry.adoc
Normal file
82
modules/sysadmin_guide/pages/registry.adoc
Normal file
|
|
@ -0,0 +1,82 @@
|
|||
= Container registry SOP
|
||||
|
||||
Fedora uses the https://github.com/docker/distribution[Docker
|
||||
Distribution] container registry to host its container images.
|
||||
|
||||
Production instance: https://registry.fedoraproject.org CDN instance:
|
||||
https://cdn.registry.fedoraproject.org
|
||||
|
||||
== Contact information
|
||||
|
||||
Owner::
|
||||
Fedora Infrastructure Team
|
||||
Contact::
|
||||
#fedora-admin
|
||||
Persons::
|
||||
bowlofeggs cverna puiterwijk
|
||||
Location::
|
||||
Phoenix
|
||||
Servers::
|
||||
oci-candidate-registry01.phx2.fedoraproject.org
|
||||
oci-candidate-registry01.stg.phx2.fedoraproject.org
|
||||
oci-registry01.phx2.fedoraproject.org
|
||||
oci-registry01.stg.phx2.fedoraproject.org
|
||||
oci-registry02.phx2.fedoraproject.org
|
||||
Purpose::
|
||||
Serve Fedora's container images
|
||||
|
||||
== Configuring all nodes
|
||||
|
||||
Run this command from the [.title-ref]#ansible# checkout to configure
|
||||
all nodes in production:
|
||||
|
||||
....
|
||||
$ sudo rbac-playbook groups/oci-registry.yml
|
||||
....
|
||||
|
||||
== Upgrades
|
||||
|
||||
Fedora infrastructure uses the registry packaged and distributed with
|
||||
Fedora. Thus, there is no special upgrade procedure - a simple
|
||||
`dnf update` will do.
|
||||
|
||||
== System architecture
|
||||
|
||||
The container registry is hosted in a fairly simple design. There are
|
||||
two hosts that run Docker Distribution to serve the registry API, and
|
||||
these hosts are behind a load balancer. These hosts will respond to all
|
||||
requests except for requests for blobs. Requests for blobs will receive
|
||||
a 302 redirect to https://cdn.registry.fedoraproject.org, which is a
|
||||
caching proxy hosted by CDN 77. The primary goal of serving the registry
|
||||
API ourselves is so that we can serve the container manifests over TLS
|
||||
so that users can be assured they are receiving the correct image blobs
|
||||
when they retrieve them. We do not rely on signatures since we do not
|
||||
have a Notary instance.
|
||||
|
||||
The two registry instances are configured not to cache their data, and
|
||||
use NFS to replicate their shared storage. This way, changes to one
|
||||
registry should appear in the other quickly.
|
||||
|
||||
== Troubleshooting
|
||||
|
||||
=== Logs
|
||||
|
||||
You can monitor the registry via the systemd journal:
|
||||
|
||||
....
|
||||
sudo journalctl -f -u docker-distribution
|
||||
....
|
||||
|
||||
=== Running out of disk space
|
||||
|
||||
We have a niagos check that monitors the available disk space on
|
||||
[.title-ref]#/srv/registry#. An ansible playbook is available to reclaim
|
||||
some disk space if needed:
|
||||
|
||||
....
|
||||
sudo rbac-playbook manual/oci-registry-prune.yml
|
||||
....
|
||||
|
||||
This will delete all the images that are older than 30 days on the
|
||||
candidate registries (prod and stg) and then run the garbage collection
|
||||
on the registries server.
|
||||
Loading…
Add table
Add a link
Reference in a new issue