Merge pull request #37871 from Ma27/docker-registry-enhancements

nixos/docker-registry: add configuration options to support image deletions

nixos/doc/manual/release-notes/rl-1809.xml

@@ -94,6 +94,13 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
      accepted by the nc command.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     The <varname>services.docker-registry.extraConfig</varname> object doesn't contain
+     environment variables anymore. Instead it needs to provide an object structure
+     that can be mapped onto the YAML configuration defined in <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the <varname>docker/distribution</varname> docs</link>.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/services/misc/docker-registry.nix

@@ -5,6 +5,45 @@ with lib;
 let
   cfg = config.services.dockerRegistry;
 
+  blobCache = if cfg.enableRedisCache
+    then "redis"
+    else "inmemory";
+
+  registryConfig = {
+    version =  "0.1";
+    log.fields.service = "registry";
+    storage = {
+      cache.blobdescriptor = blobCache;
+      filesystem.rootdirectory = cfg.storagePath;
+      delete.enabled = cfg.enableDelete;
+    };
+    http = {
+      addr = ":${builtins.toString cfg.port}";
+      headers.X-Content-Type-Options = ["nosniff"];
+    };
+    health.storagedriver = {
+      enabled = true;
+      interval = "10s";
+      threshold = 3;
+    };
+  };
+
+  registryConfig.redis = mkIf cfg.enableRedisCache {
+    addr = "${cfg.redisUrl}";
+    password = "${cfg.redisPassword}";
+    db = 0;
+    dialtimeout = "10ms";
+    readtimeout = "10ms";
+    writetimeout = "10ms";
+    pool = {
+      maxidle = 16;
+      maxactive = 64;
+      idletimeout = "300s";
+    };
+  };
+
+  configFile = pkgs.writeText "docker-registry-config.yml" (builtins.toJSON (registryConfig // cfg.extraConfig));
+
 in {
   options.services.dockerRegistry = {
     enable = mkEnableOption "Docker Registry";
@@ -27,6 +66,26 @@ in {
       description = "Docker registry storage path.";
     };
 
+    enableDelete = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable delete for manifests and blobs.";
+    };
+
+    enableRedisCache = mkEnableOption "redis as blob cache";
+
+    redisUrl = mkOption {
+      type = types.str;
+      default = "localhost:6379";
+      description = "Set redis host and port.";
+    };
+
+    redisPassword = mkOption {
+      type = types.str;
+      default = "";
+      description = "Set redis password.";
+    };
+
     extraConfig = mkOption {
       description = ''
         Docker extra registry configuration via environment variables.
@@ -34,6 +93,19 @@ in {
       default = {};
       type = types.attrsOf types.str;
     };
+
+    enableGarbageCollect = mkEnableOption "garbage collect";
+
+    garbageCollectDates = mkOption {
+      default = "daily";
+      type = types.str;
+      description = ''
+        Specification (in the format described by
+        <citerefentry><refentrytitle>systemd.time</refentrytitle>
+        <manvolnum>7</manvolnum></citerefentry>) of the time at
+        which the garbage collect will occur.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
@@ -41,15 +113,8 @@ in {
       description = "Docker Container Registry";
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
-
-      environment = {
-        REGISTRY_HTTP_ADDR = "${cfg.listenAddress}:${toString cfg.port}";
-        REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY = cfg.storagePath;
-      } // cfg.extraConfig;
-
       script = ''
-        ${pkgs.docker-distribution}/bin/registry serve \
+        ${pkgs.docker-distribution}/bin/registry serve ${configFile}
-          ${pkgs.docker-distribution.out}/share/go/src/github.com/docker/distribution/cmd/registry/config-example.yml
       '';
 
       serviceConfig = {
@@ -58,6 +123,22 @@ in {
       };
     };
 
+    systemd.services.docker-registry-garbage-collect = {
+      description = "Run Garbage Collection for docker registry";
+
+      restartIfChanged = false;
+      unitConfig.X-StopOnRemoval = false;
+
+      serviceConfig.Type = "oneshot";
+
+      script = ''
+        ${pkgs.docker-distribution}/bin/registry garbage-collect ${configFile}
+        ${pkgs.systemd}/bin/systemctl restart docker-registry.service
+      '';
+
+      startAt = optional cfg.enableGarbageCollect cfg.garbageCollectDates;
+    };
+
     users.extraUsers.docker-registry = {
       createHome = true;
       home = cfg.storagePath;

nixos/tests/docker-registry.nix

@@ -3,14 +3,16 @@
 import ./make-test.nix ({ pkgs, ...} : {
   name = "docker-registry";
   meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ globin ];
+    maintainers = [ globin ma27 ironpinguin ];
   };
 
   nodes = {
     registry = { config, pkgs, ... }: {
       services.dockerRegistry.enable = true;
+      services.dockerRegistry.enableDelete = true;
       services.dockerRegistry.port = 8080;
       services.dockerRegistry.listenAddress = "0.0.0.0";
+      services.dockerRegistry.enableGarbageCollect = true;
       networking.firewall.allowedTCPPorts = [ 8080 ];
     };
 
@@ -33,11 +35,29 @@ import ./make-test.nix ({ pkgs, ...} : {
 
     $registry->start();
     $registry->waitForUnit("docker-registry.service");
+    $registry->waitForOpenPort("8080");
     $client1->succeed("docker push registry:8080/scratch");
 
     $client2->start();
     $client2->waitForUnit("docker.service");
     $client2->succeed("docker pull registry:8080/scratch");
     $client2->succeed("docker images | grep scratch");
+
+    $client2->succeed(
+      'curl -fsS -X DELETE registry:8080/v2/scratch/manifests/$(curl -fsS -I -H"Accept: application/vnd.docker.distribution.manifest.v2+json" registry:8080/v2/scratch/manifests/latest | grep Docker-Content-Digest | sed -e \'s/Docker-Content-Digest: //\' | tr -d \'\r\')'
+    );
+
+    $registry->systemctl("start docker-registry-garbage-collect.service");
+    $registry->waitUntilFails("systemctl status docker-registry-garbage-collect.service");
+    $registry->waitForUnit("docker-registry.service");
+
+    $registry->fail(
+      'ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data'
+    );
+
+    $client1->succeed("docker push registry:8080/scratch");
+    $registry->succeed(
+      'ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data'
+    );
   '';
 })