{"host": "registry2004.codfw.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 2931, "only_in_self": [], "only_in_other": ["File[/etc/nginx/registry-nginx-common-cache-settings.conf]"], "resource_diffs": [{"resource": "Nginx::Site[registry]"}, {"resource": "File[/etc/nginx/sites-available/registry]", "content": "--- /etc/nginx/sites-available/registry.orig\n+++ /etc/nginx/sites-available/registry\n@@ -717,10 +717,15 @@\n       send_timeout                180;\n     }\n \n+    # Special handling location: MediaWiki private images.\n+    #\n+    # The \"restricted\" MediaWiki images contain private data\n+    # that we don't want to publish to the external Internet,\n+    # and they can be pushed only from deployment nodes\n+    # with special Basic Auth credentials.\n+    # It proxies to a dedicated Docker Distribution backend\n+    # and S3 Bucket.\n     location ~ ^/v2/restricted/.* {\n-      # Send all but GET/HEAD requests to @restricted_write location block below\n-      # See <https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/>\n-      # which explains and recommends this\n       error_page 418 = @restricted_write;\n       recursive_error_pages on;\n       if ($request_method !~ ^(GET|HEAD)$) {\n@@ -747,11 +752,21 @@\n       include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n+    # Special handling location: Machine Learning base images.\n+    #\n+    # The ML base images are pushed to the registry from a special\n+    # build node where there is enough GPU/CPU/Memory to compute\n+    # all the layers. It relies on a dedicated set of credentials\n+    # provided via Basic Auth.\n+    # It proxies to a dedicated Docker Distribution backend\n+    # and S3 Bucket.\n     location ~ ^/v2/ml/.* {\n-      # Send all but GET/HEAD requests to @ml location block below\n+      include /etc/nginx/registry-nginx-common-cache-settings.conf;\n+\n+      # Send all but GET/HEAD requests to @ml_write location block below\n       # See <https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/>\n       # which explains and recommends this\n-      error_page 418 = @ml;\n+      error_page 418 = @ml_write;\n       recursive_error_pages on;\n       if ($request_method !~ ^(GET|HEAD)$) {\n         return 418;\n@@ -765,7 +780,7 @@\n     }\n \n     # This block applies to POST/PUT/DELETE/etc. methods to /v2/ml/\n-    location @ml {\n+    location @ml_write {\n       # Only ml users can push images\n       auth_basic \"docker-registry ml\";\n       auth_basic_user_file /etc/nginx/ml-push.htpasswd;\n@@ -774,23 +789,17 @@\n       include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n-    # Capture the original request path here so we can pass it to\n-    # jwt-authorizer in /auth/jwt (the use of rewrite in /auth means we'd\n-    # otherwise lose track of it)\n+    # Catch-all location for all the Docker images.\n+    # Authorization can happen via Basic Auth or JWT token,\n+    # via the auth_request directives. The Docker images handled\n+    # in here can be pushed from anywhere allowed (Gitlab included).\n     location ~ ^/v2/(.*) {\n+      # Capture the original request path here so we can pass it to\n+      # jwt-authorizer in /auth/jwt (the use of rewrite in /auth means we'd\n+      # otherwise lose track of it).\n       set $auth_request_path $1;\n \n-      # Don't pollute edge caches with docker images.\n-      # Note an approach for CC: max-age=60 or 600 would gives us a small amount\n-      # of caching and protects us in big stormy scenarios. However we have CI\n-      # requiring really small reaction times for now, so avoid all caching.\n-      # Bug: T211719\n-      add_header 'Cache-Control' 'no-cache,must-revalidate' always;\n-      # Re-add Vary header as add_header directives are inherited from the\n-      # previous configuration level if and only if there are no add_header\n-      # directives defined on the current level.\n-      # http://nginx.org/en/docs/http/ngx_http_headers_module.html\n-      add_header 'Vary' 'Accept' always;\n+      include /etc/nginx/registry-nginx-common-cache-settings.conf;\n \n       auth_request /auth;\n       auth_request_set $auth_status $upstream_status;"}, {"resource": "File[/etc/nginx/registry-nginx-common-cache-settings.conf]", "parameters": "--- File[/etc/nginx/registry-nginx-common-cache-settings.conf].orig\n+++ File[/etc/nginx/registry-nginx-common-cache-settings.conf]\n\n+    before  => Service[nginx]\n+    group   => root\n+    source  => puppet:///modules/docker_registry/registry-nginx-common-cache-settings.conf\n+    require => Package[nginx]\n+    owner   => root\n+    ensure  => present\n+    mode    => 0444\n"}], "perc_changed": "0.14%"}, "core": {"total": 2931, "only_in_self": [], "only_in_other": ["File[/etc/nginx/registry-nginx-common-cache-settings.conf]"], "resource_diffs": [{"resource": "File[/etc/nginx/sites-available/registry]", "content": "--- /etc/nginx/sites-available/registry.orig\n+++ /etc/nginx/sites-available/registry\n@@ -717,10 +717,15 @@\n       send_timeout                180;\n     }\n \n+    # Special handling location: MediaWiki private images.\n+    #\n+    # The \"restricted\" MediaWiki images contain private data\n+    # that we don't want to publish to the external Internet,\n+    # and they can be pushed only from deployment nodes\n+    # with special Basic Auth credentials.\n+    # It proxies to a dedicated Docker Distribution backend\n+    # and S3 Bucket.\n     location ~ ^/v2/restricted/.* {\n-      # Send all but GET/HEAD requests to @restricted_write location block below\n-      # See <https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/>\n-      # which explains and recommends this\n       error_page 418 = @restricted_write;\n       recursive_error_pages on;\n       if ($request_method !~ ^(GET|HEAD)$) {\n@@ -747,11 +752,21 @@\n       include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n+    # Special handling location: Machine Learning base images.\n+    #\n+    # The ML base images are pushed to the registry from a special\n+    # build node where there is enough GPU/CPU/Memory to compute\n+    # all the layers. It relies on a dedicated set of credentials\n+    # provided via Basic Auth.\n+    # It proxies to a dedicated Docker Distribution backend\n+    # and S3 Bucket.\n     location ~ ^/v2/ml/.* {\n-      # Send all but GET/HEAD requests to @ml location block below\n+      include /etc/nginx/registry-nginx-common-cache-settings.conf;\n+\n+      # Send all but GET/HEAD requests to @ml_write location block below\n       # See <https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/>\n       # which explains and recommends this\n-      error_page 418 = @ml;\n+      error_page 418 = @ml_write;\n       recursive_error_pages on;\n       if ($request_method !~ ^(GET|HEAD)$) {\n         return 418;\n@@ -765,7 +780,7 @@\n     }\n \n     # This block applies to POST/PUT/DELETE/etc. methods to /v2/ml/\n-    location @ml {\n+    location @ml_write {\n       # Only ml users can push images\n       auth_basic \"docker-registry ml\";\n       auth_basic_user_file /etc/nginx/ml-push.htpasswd;\n@@ -774,23 +789,17 @@\n       include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n-    # Capture the original request path here so we can pass it to\n-    # jwt-authorizer in /auth/jwt (the use of rewrite in /auth means we'd\n-    # otherwise lose track of it)\n+    # Catch-all location for all the Docker images.\n+    # Authorization can happen via Basic Auth or JWT token,\n+    # via the auth_request directives. The Docker images handled\n+    # in here can be pushed from anywhere allowed (Gitlab included).\n     location ~ ^/v2/(.*) {\n+      # Capture the original request path here so we can pass it to\n+      # jwt-authorizer in /auth/jwt (the use of rewrite in /auth means we'd\n+      # otherwise lose track of it).\n       set $auth_request_path $1;\n \n-      # Don't pollute edge caches with docker images.\n-      # Note an approach for CC: max-age=60 or 600 would gives us a small amount\n-      # of caching and protects us in big stormy scenarios. However we have CI\n-      # requiring really small reaction times for now, so avoid all caching.\n-      # Bug: T211719\n-      add_header 'Cache-Control' 'no-cache,must-revalidate' always;\n-      # Re-add Vary header as add_header directives are inherited from the\n-      # previous configuration level if and only if there are no add_header\n-      # directives defined on the current level.\n-      # http://nginx.org/en/docs/http/ngx_http_headers_module.html\n-      add_header 'Vary' 'Accept' always;\n+      include /etc/nginx/registry-nginx-common-cache-settings.conf;\n \n       auth_request /auth;\n       auth_request_set $auth_status $upstream_status;"}], "perc_changed": "0.07%"}, "main": {"total": 2931, "only_in_self": [], "only_in_other": ["File[/etc/nginx/registry-nginx-common-cache-settings.conf]"], "resource_diffs": [{"resource": "Nginx::Site[registry]"}, {"resource": "File[/etc/nginx/sites-available/registry]", "content": "--- /etc/nginx/sites-available/registry.orig\n+++ /etc/nginx/sites-available/registry\n@@ -717,10 +717,15 @@\n       send_timeout                180;\n     }\n \n+    # Special handling location: MediaWiki private images.\n+    #\n+    # The \"restricted\" MediaWiki images contain private data\n+    # that we don't want to publish to the external Internet,\n+    # and they can be pushed only from deployment nodes\n+    # with special Basic Auth credentials.\n+    # It proxies to a dedicated Docker Distribution backend\n+    # and S3 Bucket.\n     location ~ ^/v2/restricted/.* {\n-      # Send all but GET/HEAD requests to @restricted_write location block below\n-      # See <https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/>\n-      # which explains and recommends this\n       error_page 418 = @restricted_write;\n       recursive_error_pages on;\n       if ($request_method !~ ^(GET|HEAD)$) {\n@@ -747,11 +752,21 @@\n       include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n+    # Special handling location: Machine Learning base images.\n+    #\n+    # The ML base images are pushed to the registry from a special\n+    # build node where there is enough GPU/CPU/Memory to compute\n+    # all the layers. It relies on a dedicated set of credentials\n+    # provided via Basic Auth.\n+    # It proxies to a dedicated Docker Distribution backend\n+    # and S3 Bucket.\n     location ~ ^/v2/ml/.* {\n-      # Send all but GET/HEAD requests to @ml location block below\n+      include /etc/nginx/registry-nginx-common-cache-settings.conf;\n+\n+      # Send all but GET/HEAD requests to @ml_write location block below\n       # See <https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/>\n       # which explains and recommends this\n-      error_page 418 = @ml;\n+      error_page 418 = @ml_write;\n       recursive_error_pages on;\n       if ($request_method !~ ^(GET|HEAD)$) {\n         return 418;\n@@ -765,7 +780,7 @@\n     }\n \n     # This block applies to POST/PUT/DELETE/etc. methods to /v2/ml/\n-    location @ml {\n+    location @ml_write {\n       # Only ml users can push images\n       auth_basic \"docker-registry ml\";\n       auth_basic_user_file /etc/nginx/ml-push.htpasswd;\n@@ -774,23 +789,17 @@\n       include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n-    # Capture the original request path here so we can pass it to\n-    # jwt-authorizer in /auth/jwt (the use of rewrite in /auth means we'd\n-    # otherwise lose track of it)\n+    # Catch-all location for all the Docker images.\n+    # Authorization can happen via Basic Auth or JWT token,\n+    # via the auth_request directives. The Docker images handled\n+    # in here can be pushed from anywhere allowed (Gitlab included).\n     location ~ ^/v2/(.*) {\n+      # Capture the original request path here so we can pass it to\n+      # jwt-authorizer in /auth/jwt (the use of rewrite in /auth means we'd\n+      # otherwise lose track of it).\n       set $auth_request_path $1;\n \n-      # Don't pollute edge caches with docker images.\n-      # Note an approach for CC: max-age=60 or 600 would gives us a small amount\n-      # of caching and protects us in big stormy scenarios. However we have CI\n-      # requiring really small reaction times for now, so avoid all caching.\n-      # Bug: T211719\n-      add_header 'Cache-Control' 'no-cache,must-revalidate' always;\n-      # Re-add Vary header as add_header directives are inherited from the\n-      # previous configuration level if and only if there are no add_header\n-      # directives defined on the current level.\n-      # http://nginx.org/en/docs/http/ngx_http_headers_module.html\n-      add_header 'Vary' 'Accept' always;\n+      include /etc/nginx/registry-nginx-common-cache-settings.conf;\n \n       auth_request /auth;\n       auth_request_set $auth_status $upstream_status;"}], "perc_changed": "0.10%"}}}