A place for people in (and around!) Los Angeles
Hear from @Jake Lundberg (HashiCorp) and his colleague next Thursday in Santa Monica!
Thu, Oct 24, 2019, 6:00 PM: WHENOctober 24, 2019Doors open at 6pmWHEREGumGum HQ[masked]th St.4th floorSanta Monica, 90401ORGANIZERSCorey Gale (DevOps Manager @ GumGum)Brian Tai (DevOps Engineer @ Audi
oof I don’t like that @Erik Osterman (Cloud Posse)
@btai @Corey Gale good tip yesterday at the meet up about setting up a pass thru registry for Docker to mitigate the effects of a Docker hub outage
I think mirroring the images to ECR is a PIA
But in researching this some more, I learned about the registry mirror option built into Docker
Use-case If you have multiple instances of Docker running in your environment, such as multiple physical or virtual machines all running Docker, each daemon goes out to the internet and…
Kubernetes Operations (kops) - Production Grade K8s Installation, Upgrades, and Management - kubernetes/kops
Looks like this is natively supported by Kops
So it seems like it’s easy enough to deploy a pass thru registry in cluster and then configure the mirror to use it
Not sure what happens if the mirror is offline - I presume it attempts upstream
@Corey Gale has joined the channel
@Jeremy G (Cloud Posse) we should add this to next rollout
Maybe go all the way and use something like Artifactory to be the pull-through cache for everything, not just docker images. https://jfrog.com/artifactory/features/
Artifactory provides compelling features including, HA, P2 repository, build server integration, NuGet support, repo replication, yum.
I just don’t know where the line is drawn between open source and enterprise. Artifactory is cool and all, but I know their pricing is insane.
@Erik Osterman (Cloud Posse) is there a big difference in registry mirroring vs just pushing to 2 different registries?
you could do them in parallel in ci step (push to codefreshf registry + push to ECR)
chances are you don’t rely on just your software
in our case: prometheus, grafana, keycloak, gatekeeper, kubecost, and 2 dozen other third-party vendors
sure you can take on the burden of pushing those to your own repos - that’s great (but a lot of work)
or you can just use a mirror that that has a pull-through cache (as you describe) and address the immediate risk of being crippled by upstream outages.
1) from a security perspective, you should explicitly replicate or produce an image in your own repo for every package you depend on. for smaller team, this might be a lot of overhead. it will shield you also from upstream outages.
2) from an HA perspective, the registry mirror is sufficient.
option (1) is 80% more work with 20% more benefit
great response erik