JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nixos/docker-registry: cleanup module definition & enhance testcase

Browse Source 
The following changes have been applied:

- the property `http.headers.X-Content-Type-Options` must a list of
  strings rather than a serialized list
- instead of `/etc/docker/registry/config.yml` the configuration will be
  written with `pkgs.writeText` and the store path will be used to run
  the registry. This reduces the risk of possible impurities by relying
  on the Nix store only.
- cleaned up the property paths to easy readability and reduce the
  verbosity.
- enhanced the testcase to ensure that digests can be deleted as well
- the `services.docker-registry.extraConfig` object will be merged with
  `registryConfig`

/cc @ironpinguin
This commit is contained in:
Maximilian Bosch 2018-03-26 13:54:01 +02:00
parent f5c0b3f887
commit 593dc45141
No known key found for this signature in database
GPG Key ID: 091DBF4D1FC46B8E
3 changed files with 32 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
nixos/doc/manual/release-notes/rl-1809.xml
View File

@ -77,6 +77,13 @@ following incompatible changes:</para>
accepted by the nc command. accepted by the nc command.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <varname>services.docker-registry.extraConfig</varname> object doesn't contain
environment variables anymore. Instead it needs to provide an object structure
that can be mapped onto the YAML configuration defined in <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the <varname>docker/distribution</varname> docs</link>.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

57
nixos/modules/services/misc/docker-registry.nix
View File

@ -5,40 +5,26 @@ with lib;
let let
cfg = config.services.dockerRegistry; cfg = config.services.dockerRegistry;
blogCache = if cfg.enableRedisCache blobCache = if cfg.enableRedisCache
then "redis" then "redis"
else "inmemory"; else "inmemory";
registryConfig = { registryConfig = {
version = "0.1"; version = "0.1";
log = { log.fields.service = "registry";
fields = {
service = "registry";
};
};
storage = { storage = {
cache = { cache.blobdescriptor = blobCache;
blobdescriptor = "${blogCache}"; filesystem.rootdirectory = cfg.storagePath;
}; delete.enabled = cfg.enableDelete;
filesystem = {
rootdirectory = "/var/lib/registry";
};
delete = {
enabled = cfg.enableDelete;
};
}; };
http = { http = {
addr = ":5000"; addr = ":${builtins.toString cfg.port}";
headers = { headers.X-Content-Type-Options = ["nosniff"];
X-Content-Type-Options = "[nosniff]";
};
}; };
health = { health.storagedriver = {
storagedriver = { enabled = true;
enabled = true; interval = "10s";
interval = "10s"; threshold = 3;
threshold = 3;
};
}; };
}; };
@ -98,7 +84,7 @@ in {
redisPassword = mkOption { redisPassword = mkOption {
type = types.str; type = types.str;
default = "asecret"; default = "";
description = "Set redis password."; description = "Set redis password.";
}; };
@ -112,21 +98,14 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.etc."docker/registry/config.yml".text = builtins.toJSON registryConfig;
systemd.services.docker-registry = { systemd.services.docker-registry = {
description = "Docker Container Registry"; description = "Docker Container Registry";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
script = let
environment = { configFile = pkgs.writeText "docker-registry-config.yml" (builtins.toJSON (registryConfig // cfg.extraConfig));
REGISTRY_HTTP_ADDR = "${cfg.listenAddress}:${toString cfg.port}"; in ''
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY = cfg.storagePath; ${pkgs.docker-distribution}/bin/registry serve ${configFile}
} // cfg.extraConfig;
script = ''
${pkgs.docker-distribution}/bin/registry serve \
/etc/docker/registry/config.yml
''; '';
serviceConfig = { serviceConfig = {

8
nixos/tests/docker-registry.nix
View File

@ -3,12 +3,13 @@
import ./make-test.nix ({ pkgs, ...} : { import ./make-test.nix ({ pkgs, ...} : {
name = "docker-registry"; name = "docker-registry";
meta = with pkgs.stdenv.lib.maintainers; { meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ globin ]; maintainers = [ globin ma27 ];
}; };
nodes = { nodes = {
registry = { config, pkgs, ... }: { registry = { config, pkgs, ... }: {
services.dockerRegistry.enable = true; services.dockerRegistry.enable = true;
services.dockerRegistry.enableDelete = true;
services.dockerRegistry.port = 8080; services.dockerRegistry.port = 8080;
services.dockerRegistry.listenAddress = "0.0.0.0"; services.dockerRegistry.listenAddress = "0.0.0.0";
networking.firewall.allowedTCPPorts = [ 8080 ]; networking.firewall.allowedTCPPorts = [ 8080 ];
@ -22,6 +23,7 @@ import ./make-test.nix ({ pkgs, ...} : {
client2 = { config, pkgs, ...}: { client2 = { config, pkgs, ...}: {
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
virtualisation.docker.extraOptions = "--insecure-registry registry:8080"; virtualisation.docker.extraOptions = "--insecure-registry registry:8080";
environment.systemPackages = [ pkgs.jq ];
}; };
}; };
@ -39,5 +41,9 @@ import ./make-test.nix ({ pkgs, ...} : {
$client2->waitForUnit("docker.service"); $client2->waitForUnit("docker.service");
$client2->succeed("docker pull registry:8080/scratch"); $client2->succeed("docker pull registry:8080/scratch");
$client2->succeed("docker images | grep scratch"); $client2->succeed("docker images | grep scratch");
$client2->succeed(
'curl -fsS -X DELETE registry:8080/v2/scratch/manifests/$(curl registry:8080/v2/scratch/manifests/latest | jq ".fsLayers[0].blobSum" | sed -e \'s/"//g\')'
);
''; '';
}) })