default registries.conf unusable

[hmoffatt]

This bug is about the podman packaging rather than the role, but I think you told me previously it was ok to report these issues here. If not please feel free to move it.

In containers-common you have a /etc/containers/registries.conf which is taken from tests/registries.conf in the source tree. I think it is only useful for the podman unit testing, not general use, because there is no way to pull directory from docker.io.

1. it maps docker.io/library to quay.io/libpod, but that mirror is incomplete (eg there is no quay.io/libpod/debian:bullseye, only :latest)
2. it maps the rest of docker.io to mirror.gcr.io, but that mirror is also incomplete (eg docker.io/hairyhenderson/gomplate:stable fails to pull)

I think the default end user containers.conf is intended to be the one from containers/image (https://github.com/containers/image/blob/main/registries.conf), which is 100% comments.

[hswong3i]

Umm... You are correct, and I am also not feeling good with my current default /etc/containers/registries.conf, too.

BTW, besides 100% comments, at least I am caring about docker.io rate limit. Sometime I hit this with my client's production environment which block my upgrade. As https://cloud.google.com/container-registry/docs/pulling-cached-images#pull suggested, if the cached image expired from mirror.gcr.io, docker daemon / podman should be good enough for fetching it from original docker.io.

As https://github.com/alvistack/containers-common/blob/alvistack/v0.50.1/debian/rules#L17 my default /etc/containers/registries.conf is now copying from tests/registries.conf. Any idea if I provide my own modified version of /etc/containers/registries.conf, which just enable mirroring with mirror.gcr.io?

[hmoffatt]

It looks like something like this is needed in registries.conf to implement the fallback:

[[registry]]
prefix="docker.io"
location="docker.io"
[[registry.mirror]]
location="mirror.gcr.io"

With this I can fetch for example docker.io/hairyhenderson/gomplate:stable which is on docker.io but not on mirror.gcr.io; podman --log-level=debug pull confirms it tries the mirror first.

I think it is a good idea to provide your own registries.conf with the mirror enabled. Thanks!

[hswong3i]

Give me some time, today https://build.opensuse.org/project/show/home:alvistack looks so laggy...

Your example looks good for me, I will update it afterward ;-)

[hswong3i]

@hmoffatt should be better now: https://github.com/alvistack/containers-common/commit/55dd865fb3e76a88ba7ae7a184f906ee83c2f664#diff-968a44bf11ad55a626a0d13a78ade8944ade3a36f53c7a3f985a9036cd64f5a5R79-R86

Please wait for OBS package rebuild, and you may need to manually upgrade the installed package.

[hswong3i]

@hmoffatt my bad... Actually your suggested change already at https://github.com/alvistack/ansible-role-containers_common/blob/6f7266f419e1ed68d385d23473e89d320385acdb/templates/etc/containers/registries.conf.d/00-defaults.conf.j2 for a very long period...

Our root cause is just about containers-common packaging, which package with a default that not really working, if individually install without above Ansible Role provided override...

So I rollback containers-common with https://github.com/alvistack/containers-common/commit/45acbfb7943e0b926065d967f1df4a62130927ca, with 100% comment default as your original suggestion. For mirroring, let my Ansible Role to provide the override ;-)

[hmoffatt]

Hmm I don't have that file 00-defaults.conf.j2 in my installation. I am using alvistack.podman 6.3.1 to install on Debian 11, and I have containers-common version 100:0.50.1-1. Do I need to use your alvistack.containers_common role as well?

[hswong3i]

Yes it is coming from alvistack.containers_common: https://github.com/alvistack/ansible-role-containers_common/blob/master/templates/etc/containers/registries.conf.d/00-defaults.conf.j2

With my original design, it should run as part of alvistack.podman molecule converge -s default: https://github.com/alvistack/ansible-role-podman/blob/master/molecule/default/converge.yml

[hmoffatt]

Oops, I've been running alvistack.podman from a playbook of my own and didn't realize your other roles existed. The dependencies on the packages means that everything I've needed has been installed by apt anyway.

I prefer to have the dependencies automatically installed rather than manually installed anyway so that apt can autoremove them when no longer required.

[hswong3i]

From deb/rpm packaging layer, I had already actively referencing official Debian/Fedora/Tumleweed package dependency setup.

BTW it couldn't always working perfectly, and so I had my Ansible Roles for DevOps layer management.

Our extract Ansible Role dependency could be found from both ansible-galaxy-requirement.yml and above molecule/default/converge.yml. This is also how our molecule test cases being triggered.

[hmoffatt]

I found your repository via this article here: https://computingforgeeks.com/how-to-install-podman-on-debian/

It has both Ansible and direct repository instructions. If the registries.conf fix was included in the packaging rather than the Ansible role then everyone would benefit. But either is fine for me. Thanks for the packages.

[hswong3i]

First of all, I have no responsibility for this article ;-)

At least I give my self dogfooding package and Ansible role with following guideline:

• If something could working fine as similar as (or even empty default config) corresponding Debian/Fedora/openSUSE package, reference it as much as possible
• If I would like to have some customization which enhance my daily DevOps experience, then override above package default with my own Ansible Role

That's why now my containers-common coming with 100% comment default /etc/containers/registries.conf (even without Fedora-like customization), but putting my own mirroring tweaks into Ansible Role.