Cleanup on Aisle 3 - Help Welcome

Cleanup on Aisle 3 - Help Welcome

Why We've Been Quiet Lately

Since the start of 2019 we've been steadily working on improving our tech stack and documentation.

When we started digging in deeper to a web UI for deploying services we realized we needed to take a step back and think about how our Docker Registry and some of our infrastructure is implemented.

When you first view the registry browser you're greeted with a wall of projects broken down by architecture and it seems to scroll on forever. This isn't ideal for a lot of reasons. It's hard to read, difficult to decypher and it adds a bunch of edge cases to our documentation and running Docker containers. It does simplify a little bit of the build infrastructure but it's minimal simplification. We are at a net loss for maintainability with this approach.

Simplifying

The more we probed the web UI and registry approach the more we realized we need to simplify our approach and consolidate a LOT.

The first step was consolidating our Docker containers into single repos with tags based on architecture. Instead of immediately seeing arm32v7, arm64v8 everywhere you'll simply see arm. No more poking around for which architecture your board uses.

The second step was finding a way to ensure we can deliver architecture specific Docker Images to our users without them having to worry about which architecture they are running outside of initial setup. We've found a good way to support tags such that you can pull the tag and be delivered the appropriate Docker image for your architecture. No more finding the tag for your architecture, just pull the main tag and you've got what you need.

We've even managed to find a good piece of software that will let us manage our Docker Registry more easily, add vulnerability scanning, signed containers and more.

In short: we have a much better path forward that reduces the amount of minutae needed to run and maintain a Lollipop. It also reduces the amount of code, documentation and more we have to maintain as a project.

A Catch

There's a catch, though: we ran into a few different bugs and cannot implement the major gains this approach allows without greatly reducing accessibility and visibility. We can implement if we were comfortable removing anonymous browsing of our Docker Registry. We aren't comfortable removing anonymous browsing. From the outset, anonymous browsing of our Docker Registry has been a hard requirement.

This catch is a show stopper for us. We try very hard to use upstream projects as-is and contribute small code changes if necessary. Unfortunately this show stopper is likely going to be a bit more than simple code change(s).

Help Welcome

At the moment our main Docker Registry browser is generated by the reg tool (https://github.com/genuinetools/reg) and we have 2 bugs that we could use help addressing.

  • We need to find a way to get it access to the main Docker catalog. Our updated Docker Registry approach is causing it to have an authentication / access error and we could use some help sorting this out.
  • We are having a hard time getting reg to enumerate Manifest lists that exist in repos. Any time we add a Manifest list it gives errors about not being able to enumerate tags.

We are also working with Harbor (https://github.com/goharbor/harbor) for our new Registry deployment (it's in testing, don't worry, nothing public has changed) but it has 2 major problems presently

  • It allows anonymous users to search for public projects/repos but will not let them view the contents or details
  • There doesn't seem to be a way to setup the main page to avoid being prompted for login

We were hoping to leverage reg connected to Harbor to facilitate anonymous access while Harbor fixed their implementation (they have open tickets) but the other items with reg are blocking us from moving forward. Harbor will show logged in users all of the public projects/repos. We aren't comfortable asking our users to create an account just to browse our registry so we're in a bit of a difficult situation overall.

We are hoping to resolve these items, but could use help. If we can get reg updated a bit we can deploy both Harbor and reg to help improve things all around. Especially when it comes to documentation, setup and maintainability.

We plan to continue to improve Lollipop Cloud but progress will be slow until the above is resolved in a way that allows us to retain anonymous access to our registry while also moving forward with manifest lists, vulnerability scanning and container signing.