[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Multi-Tenant Cluster: Create a separate docker registry for every project?

Hi there,

I'm not an expert regarding the registry by any means, but since nobody else has replied, I just wanted to share some thoughts.

On Wed, Aug 3, 2016 at 5:59 AM, v <vekt0r7 gmx net> wrote:

we would like to deploy our first multi-tenant OpenShift Cluster and we'd like to have all customers as separated as possible. For this reason we would like to give each customer his/her own docker registry and registry storage.

OpenShift is designed for multi-tenancy, including the networking stack (that's why we have OpenShift SDN) and the registry (the registry itself is shared, but our registry has integrated security for the multi-tenant use case).  It's worth noting that the code in OpenShift Origin eventually becomes the code that we run on our multi-tenant public cloud, OpenShift Online.

There is some ongoing work to integrate our Atomic Registry into OpenShift as this would provide better management capabilities: https://trello.com/c/0hsX6B4G/210-enterprise-image-registry-atomic-registry

That said, configuring individual registries would indeed give the best isolation, though at the cost of (potentially significant) administrative overhead, as you will need to monitor/manage many registries instead of just one.  On the other hand, the advantage is that downtime of the registry would only affect individual tenants, so it really depends on your use case.
We thought we'd create a registry-pod in every project. Should we just use the official docker registry image from the docker hub or should we use openshift/origin-docker-registry?

I'm biased, since I work for Red Hat, but I'd suggest trying the Atomic Registry as it comes with sophisticated security controls and a management interface.  Just a personal preference - I like graphical interfaces versus doing stuff on the command line.

If you do go the route of having individual registries for each project, you'll need to tell projects where to push images: https://docs.openshift.org/latest/dev_guide/builds.html#build-output

I think this also means that our built-in tools for managing registries will be unusable: https://docs.openshift.org/latest/admin_guide/monitoring_images.html
What is the "best practice" concerning the handling of docker registries in multi-tenant clusters?

I'd suggest just sticking to what we ship (a multi-tenant-aware registry) and using that, as it's well-tested and fairly flexible: https://docs.openshift.org/latest/install_config/install/docker_registry.html#advanced-overriding-the-registry-configuration

Jonathan Yu, P.Eng. / Software Engineer, OpenShift by Red Hat / Twitter (@jawnsy) is the quickest way to my heart

“A master in the art of living draws no sharp distinction between his work and his play; his labor and his leisure; his mind and his body; his education and his recreation. He hardly knows which is which. He simply pursues his vision of excellence through whatever he is doing, and leaves others to determine whether he is working or playing. To himself, he always appears to be doing both.” — L. P. Jacks, Education through Recreation (1932), p. 1

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]