Content differences:
--- /etc/nginx/sites-available/registry.orig
+++ /etc/nginx/sites-available/registry
@@ -14,6 +14,7 @@
default upgrade;
'' close;
}
+
# Define a separate cache for the auth backends to mitigate subrequests for
@@ -47,6 +48,17 @@
HEAD "none";
OPTIONS "none";
default $auth_type_maybe;
+}
+
+# Decides whether a request that 404'd on registry-{ml,..} should be retried against
+# Swift (see @fallback). Layer existence checks (HEAD .../blobs/...) issued
+# during a push must NOT fall back: a Swift 200 would make the docker client
+# skip uploading the layer to registry-{ml,..}, and the subsequent manifest PUT
+# would then fail with MANIFEST_BLOB_UNKNOWN.
+# Those must see registry-{ml,..}'s real 404 so the layer gets uploaded to S3.
+map "$request_method:$uri" $skip_fallback {
+ default 0;
+ "~^HEAD:/v2/.*/blobs/" 1;
}
# To get auth_basic working in the context of an auth_request, the latter
@@ -799,6 +811,79 @@
include /etc/nginx/registry-nginx-common-proxy-settings.conf;
}
+ # Special handling location: Machine Learning service images
+ # These images are different from the base ones since they are built and pushed
+ # via Blubber/Gitlab, without requiring special permissions.
+ #
+ # MIGRATION IN PROGRESS:
+ # - Write requests are directed towards the ML S3 bucket (registry-ml).
+ # - Read requests are attempted against registry-ml first, and if a HTTP 404
+ # is returned, registry-swift is used as a fallback.
+ # TODO: remove the fallback (and route writes straight here) once all read
+ # and write traffic goes towards the ML S3 bucket.
+ location ~ ^/v2/(wikimedia/machine-learning-.*) {
+ # Capture the original request path here so we can pass it to
+ # jwt-authorizer in /auth/jwt (the use of rewrite in /auth means we'd
+ # otherwise lose track of it).
+ set $auth_request_path $1;
+
+ include /etc/nginx/registry-nginx-common-cache-settings.conf;
+
+ # Send all but GET/HEAD requests to @ml_service_write below. This keeps the
+ # 404 -> Swift fallback (set up at the bottom of this block) on the read
+ # path only: we never want a write to be replayed against Swift.
+ # See <https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/>
+ # which explains and recommends this.
+ error_page 418 = @ml_service_write;
+ recursive_error_pages on;
+ if ($request_method !~ ^(GET|HEAD)$) {
+ return 418;
+ }
+
+ # This covers GET/HEAD requests to /v2/wikimedia/machine-learning-*
+ auth_request /auth;
+ auth_request_set $auth_status $upstream_status;
+
+ proxy_pass http://registry-ml;
+ include /etc/nginx/registry-nginx-common-proxy-settings.conf;
+
+ # If registry-ml returns a 404 for a read, fall back to Swift.
+ proxy_intercept_errors on;
+ error_page 404 = @fallback;
+ }
+
+ # This block applies to POST/PUT/DELETE/etc. methods to
+ # /v2/wikimedia/machine-learning-*. Writes go straight to registry-ml with
+ # no Swift fallback.
+ location @ml_service_write {
+ auth_request /auth;
+ auth_request_set $auth_status $upstream_status;
+
+ proxy_pass http://registry-ml;
+ include /etc/nginx/registry-nginx-common-proxy-settings.conf;
+ }
+
+ # Special location block: fallback reads to Swift.
+ # This block is meant to be referenced by other blocks with
+ # the 'error_page 404' directive. If a read fails on S3, nginx
+ # falls back to Swift before returning to the client.
+ location @fallback {
+ internal;
+
+ # Push-time layer existence checks (HEAD .../blobs/...) must see the real
+ # 404 from registry-ml rather than a Swift hit, otherwise the client skips
+ # uploading the layer and the manifest PUT to registry-{ml,..} fails. See the
+ # $skip_fallback map above.
+ if ($skip_fallback) {
+ return 404;
+ }
+
+ access_log /var/log/nginx/access_swift_fallback.log upstream_time;
+
+ proxy_pass http://registry-swift;
+ include /etc/nginx/registry-nginx-common-proxy-settings.conf;
+ }
+
# Catch-all location for all the Docker images.
# Authorization can happen via Basic Auth or JWT token,
# via the auth_request directives. The Docker images handled
@@ -843,7 +928,6 @@
allow 127.0.0.1/32;
deny all;
}
-
}
# Below are a number of internal locations used by auth_request to route