[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Multi-Tenant Cluster: Create a separate docker registry for every project?

Hello Guys

I thought that project very interesting.

I'm looking for openshift integration too.

Thank you

2016-08-16 10:59 GMT-03:00 v <vekt0r7 gmx net>:
Hello Jonathan,

thank you for you input, it is highly valued.

I have to admit that I did not know of Atomic Registry - looks like a very promising project. I am looking forward to seeing Atomic Registry being integrated into OpenShift. :)

We're using one-registry-per-project because this allows us sell to customers things like "100 GiB of Registry Storage". Each project registry gets its own PersistentVolume via NFS and the NFS storage consists of a thinly provisioned Logical Volume limited to 100 GiB at max.

I haven't found out how to do something similar like that (i.e. selling 100 GiB of registry storage to a customer and making sure he can't use more than 100 GiB) using the integrated docker registry. Will check out whether this is possible with Atomic Registry.


Am 2016-08-14 um 00:41 schrieb Jonathan Yu:
Hi there,

I'm not an expert regarding the registry by any means, but since nobody else has replied, I just wanted to share some thoughts.

On Wed, Aug 3, 2016 at 5:59 AM, v <vekt0r7 gmx net> wrote:

we would like to deploy our first multi-tenant OpenShift Cluster and we'd like to have all customers as separated as possible. For this reason we would like to give each customer his/her own docker registry and registry storage.

OpenShift is designed for multi-tenancy, including the networking stack (that's why we have OpenShift SDN) and the registry (the registry itself is shared, but our registry has integrated security for the multi-tenant use case).  It's worth noting that the code in OpenShift Origin eventually becomes the code that we run on our multi-tenant public cloud, OpenShift Online.

There is some ongoing work to integrate our Atomic Registry into OpenShift as this would provide better management capabilities: https://trello.com/c/0hsX6B4G/210-enterprise-image-registry-atomic-registry

That said, configuring individual registries would indeed give the best isolation, though at the cost of (potentially significant) administrative overhead, as you will need to monitor/manage many registries instead of just one.  On the other hand, the advantage is that downtime of the registry would only affect individual tenants, so it really depends on your use case.
We thought we'd create a registry-pod in every project. Should we just use the official docker registry image from the docker hub or should we use openshift/origin-docker-registry?

I'm biased, since I work for Red Hat, but I'd suggest trying the Atomic Registry as it comes with sophisticated security controls and a management interface.  Just a personal preference - I like graphical interfaces versus doing stuff on the command line.

If you do go the route of having individual registries for each project, you'll need to tell projects where to push images: https://docs.openshift.org/latest/dev_guide/builds.html#build-output

I think this also means that our built-in tools for managing registries will be unusable: https://docs.openshift.org/latest/admin_guide/monitoring_images.html
What is the "best practice" concerning the handling of docker registries in multi-tenant clusters?

I'd suggest just sticking to what we ship (a multi-tenant-aware registry) and using that, as it's well-tested and fairly flexible: https://docs.openshift.org/latest/install_config/install/docker_registry.html#advanced-overriding-the-registry-configuration

Jonathan Yu, P.Eng. / Software Engineer, OpenShift by Red Hat / Twitter (@jawnsy) is the quickest way to my heart

“A master in the art of living draws no sharp distinction between his work and his play; his labor and his leisure; his mind and his body; his education and his recreation. He hardly knows which is which. He simply pursues his vision of excellence through whatever he is doing, and leaves others to determine whether he is working or playing. To himself, he always appears to be doing both.” — L. P. Jacks, Education through Recreation (1932), p. 1

users mailing list
users lists openshift redhat com

users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]