#lax (2019-10)

lax

A place for people in (and around!) Los Angeles

Archive: https://archive.sweetops.com/lax/

2019-10-14

btai avatar

Hear from @Jake Lundberg (HashiCorp) and his colleague next Thursday in Santa Monica!

https://www.meetup.com/West-LA-DevOps/events/265221538/

West LA DevOps: The 4th Meetupattachment image

Thu, Oct 24, 2019, 6:00 PM: WHENOctober 24, 2019Doors open at 6pmWHEREGumGum HQ[masked]th St.4th floorSanta Monica, 90401ORGANIZERSCorey Gale (DevOps Manager @ GumGum)Brian Tai (DevOps Engineer @ Audi

consul1
meetup1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
btai avatar

oof I don’t like that @Erik Osterman (Cloud Posse)

btai avatar

I definitely don’t want our members pay to rsvp. at the same time I’d say our attendance rate is about 40~50% of the total rsvps

btai avatar

Technically they could show up without RSVPing.

2019-10-25

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@btai @Corey Gale good tip yesterday at the meet up about setting up a pass thru registry for Docker to mitigate the effects of a Docker hub outage

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think mirroring the images to ECR is a PIA

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But in researching this some more, I learned about the registry mirror option built into Docker

btai avatar

Pia?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(Pain in the ass)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I guess that makes it PITA

Corey Gale avatar
Corey Gale

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Registry as a pull through cache

Use-case If you have multiple instances of Docker running in your environment, such as multiple physical or virtual machines all running Docker, each daemon goes out to the internet and…

kubernetes/kops

Kubernetes Operations (kops) - Production Grade K8s Installation, Upgrades, and Management - kubernetes/kops

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Looks like this is natively supported by Kops

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So it seems like it’s easy enough to deploy a pass thru registry in cluster and then configure the mirror to use it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Not sure what happens if the mirror is offline - I presume it attempts upstream

Corey Gale avatar
Corey Gale
02:22:20 AM

@Corey Gale has joined the channel

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jeremy G (Cloud Posse) we should add this to next rollout

Jeremy G (Cloud Posse) avatar
Jeremy G (Cloud Posse)

Maybe go all the way and use something like Artifactory to be the pull-through cache for everything, not just docker images. https://jfrog.com/artifactory/features/

Artifactory Features: Build Integration, REST API, Replication ... - JFrogattachment image

Artifactory provides compelling features including, HA, P2 repository, build server integration, NuGet support, repo replication, yum.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I just don’t know where the line is drawn between open source and enterprise. Artifactory is cool and all, but I know their pricing is insane.

2019-10-27

2019-10-28

btai avatar

@Erik Osterman (Cloud Posse) is there a big difference in registry mirroring vs just pushing to 2 different registries?

btai avatar

you could do them in parallel in ci step (push to codefreshf registry + push to ECR)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

chances are you don’t rely on just your software

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

in our case: prometheus, grafana, keycloak, gatekeeper, kubecost, and 2 dozen other third-party vendors

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

sure you can take on the burden of pushing those to your own repos - that’s great (but a lot of work)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

or you can just use a mirror that that has a pull-through cache (as you describe) and address the immediate risk of being crippled by upstream outages.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I’d argue:

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

1) from a security perspective, you should explicitly replicate or produce an image in your own repo for every package you depend on. for smaller team, this might be a lot of overhead. it will shield you also from upstream outages.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

2) from an HA perspective, the registry mirror is sufficient.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

80/20 rule

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

option (1) is 80% more work with 20% more benefit

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

btai avatar

great response erik

    keyboard_arrow_up