--- Class[Profile::Docker_registry].orig
+++ Class[Profile::Docker_registry]
+ s3_migrations => {'ml': {'port': 5004, 'auth_mode': 'basic', 'push_file': '/etc/nginx/ml-push.htpasswd', 'prefixes': ['ml']}}
Nginx::Site[registry]
Class[Docker_registry::Web]
- Parameters differences:
--- Class[Docker_registry::Web].orig
+++ Class[Docker_registry::Web]
+ s3_migrations => {'ml': {'port': 5004, 'auth_mode': 'basic', 'push_file': '/etc/nginx/ml-push.htpasswd', 'prefixes': ['ml']}}
- File[/etc/nginx/sites-available/registry]
- Content differences:
--- /etc/nginx/sites-available/registry.orig
+++ /etc/nginx/sites-available/registry
@@ -773,57 +773,42 @@
send_timeout 180;
}
- location ~ ^/v2/ml/.* {
- # Send all but GET/HEAD requests to @ml location block below
+ # /v2/{ml}/* are served by the S3-backed
+ # registry-ml instance. GET/HEAD reads try S3 first and fall
+ # back to swift on a miss/error (@swift_fallback); writes go only to S3 via
+ # @ml_write.
+ location ~ ^/v2/(ml/.*) {
+
+ # Send all but GET/HEAD requests to @ml_write below, so that
+ # only idempotent reads are eligible for the swift fallback.
# See <https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/>
# which explains and recommends this
- error_page 418 = @ml;
+ error_page 418 = @ml_write;
recursive_error_pages on;
if ($request_method !~ ^(GET|HEAD)$) {
return 418;
}
- # This covers GET/HEAD requests to /v2/ml/
+
+ # Try the S3-backed registry first; fall back to swift on a miss/error.
+ proxy_intercept_errors on;
+ error_page 404 502 503 504 = @swift_fallback;
proxy_pass http://registry-ml;
- proxy_redirect off;
- proxy_buffering off;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
- proxy_set_header Proxy-Connection "Keep-Alive";
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header Host $host;
-
- proxy_connect_timeout 180;
- proxy_send_timeout 180;
- proxy_read_timeout 180;
- send_timeout 180;
-
- }
-
- # This block applies to POST/PUT/DELETE/etc. methods to /v2/ml/
- location @ml {
+ include /etc/nginx/registry-nginx-proxy-common.conf;
+
+ }
+
+ # Writes (POST/PUT/DELETE/etc.) for every prefix routed to
+ # registry-ml land here, and go only to S3 (never swift) to
+ # avoid splitting an in-progress upload across two stores.
+ location @ml_write {
# Only ml users can push images
auth_basic "docker-registry ml";
auth_basic_user_file /etc/nginx/ml-push.htpasswd;
proxy_pass http://registry-ml;
- proxy_redirect off;
- proxy_buffering off;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
- proxy_set_header Proxy-Connection "Keep-Alive";
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header Host $host;
-
- proxy_connect_timeout 180;
- proxy_send_timeout 180;
- proxy_read_timeout 180;
- send_timeout 180;
+ include /etc/nginx/registry-nginx-proxy-common.conf;
}
# Capture the original request path here so we can pass it to
@@ -892,6 +877,19 @@
}
+ # Generic fallback for prefixes migrating to an S3-backed registry: the
+ # per-prefix blocks above route here when their S3 backend returns a
+ # 404/5xx. The original $uri is preserved across the internal redirect, so
+ # swift is queried for the exact same path. Reads only (write locations
+ # never route here), so no auth is needed: auth_request already ran on the
+ # way in.
+ location @swift_fallback {
+ internal;
+ proxy_pass http://registry-swift;
+ include /etc/nginx/registry-nginx-proxy-common.conf;
+ }
+
+
# Below are a number of internal locations used by auth_request to route
# to either basic auth or JSON Web Token auth based on the value of
# $auth_type (see the geo and map directives at the top). Note it would be
Relevant files