[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Docker registry access in OSv3

With the sample app (https://github.com/openshift/origin/tree/master/examples/sample-app) and in other places, we're discussing having STI builders push an image to a Docker registry (running on OpenShift or outside it) and having that kick off a deployment of that image.

Here are the questions that arise:
1. How do we put quotas on how much registry space a project can use?
2. How do we prevent projects from pushing images that stomp on same-named images pushed by other projects?

If the ability to push images is always mediated by ImageRepositories, and we automatically add the project namespace to the image name (so, a project "foo" with IR "bar" always pushes images named "foo/bar" to the docker-registry service), that takes care of 2. Not sure if that's the intended design?

The question of quotas seems harder. Resource limits can be defined in OpenShift but some kind of registry plugin would be required for the docker-registry to enforce them, if it has the ability at all. And is there a mechanism for administratively pointing at some external registry? Maybe just point the docker-registry service at an external IP?

One other possibility would be requiring each project that does image builds to host its own docker registry. It would handle the quota issue nicely, but would probably seem cumbersome to users.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]