Re: [atomic-devel] Is running a registry part of the Atomic pattern?

[Haïkel <hguemar fedoraproject org>]

2014-10-03 20:32 GMT+02:00 Colin Walters <walters verbum org>:
> This is an open question in my mind, asking here to start a discussion.
>
> To what degree is having a Docker registry part of the "Atomic pattern"
> that can be applied to a distribution?
>
> The Atomic Host comes from the distribution - it's built from the
> distribution's component parts.
>
> However, as we talk about things that might be part of the host, or
> might be privileged containers (like sosreport), I feel a bit of a pull
> towards the host for trust reasons.  My feelings on the Hub are a bit
> nuanced and I won't go into detail here, but basically if a distribution
> had a registry, it would be possible to ship distribution-specific
> "associated tools" with an Atomic Host as containers.
>

There are multiple considerations:
1. From Fedora perspective, we constantly looked to own our
infrastructure and not rely on third-party
2. We don't control Docker Hub content, so not providing our own
registry could be considered by users as an "official" blessing from
whatever comes from Docker Hub.
3. Strategically, I'd like to tie Atomic to the existing Fedora/CentOS
ecosystem, I don't want people pulling Foo images based on
non-Fedora/CentOS images or not using our official packages (which
means NO support from us)

One could think of our own registry like Fedora blessed repositories
and Docker Hub as the rpmfusion equivalent.
That doesn't prevent users to get applications from the hub but we'd
prefer that they use our own.

> At the moment, neither Fedora nor CentOS (to my knowledge) have
> registries.  Particularly as we get towards privileged containers that
> *do* have some level of host dependency, I'd like to be able to say:
> "Oh, you need sosreport?  docker pull centos.org/sosreport7" - and to
> know that that version of sosreport works with that host.
>

You're right and as part of both Fedora/Centos Cloud SIG, I think this
could be one of our first joint effort.
1. we could share a single registry
2. we could even share containers (less duplication !)
I guess that nobody wants to shake off more collaboration between our
sister distros so it's something we could work off.

Regards,
H.

> Beyond the privileged container angle, if it was part of the pattern for
> distributions to come with registries, this helps keep the trust
> boundary.  Not everyone is going to trust all content on the Hub, but if
> the images provided by the distribution (and kept to the same level of
> rigor, e.g. built from known package components which in turn were built
> from known source code), it would keep the same trust level.
>
> Thoughts?
>