Setup a caching proxy for Docker Hub

Author: sio

TODO.md

@@ -12,12 +12,9 @@ progress of longer tasks.
 
 - Deploy fleet manager to home server
 
-
+<!--
 ## Medium priority: quality of life
-
-**deploy/**
-
-- Deal with DockerHub rate limits: set up Docker proxy on the gateway?
+-->
 
 
 ## Low priority: nice to have

build/template/gateway.yml

@@ -33,6 +33,19 @@
     caddy_config: /etc/caddy/Caddyfile
     firewall_auto_config: no
   tasks:
+    - name: create systemd service for Docker Hub proxy
+      template:
+        src: /etc/provision/gateway/dockerhub.service
+        dest: /etc/systemd/system/dockerhub.service
+        mode: '0644'
+        owner: root
+    - name: enable systemd service for Docker Hub proxy
+      systemd:
+        name: dockerhub.service
+        enabled: yes
+        state: started
+        daemon_reload: yes
+
     # HTTP reverse proxy (Caddy)
     #   nginx is too quirky with dynamic reverse proxy destinations:
     #   - requires static resolver IP

build/template/gateway/dockerhub.service

@@ -0,0 +1,38 @@
+# I know that systemd service will own only docker client process, not the
+# container process itself.
+#
+# Typically this is less than ideal (and this is where alternative tools like
+# Podman truly shine) but for current usecase it's acceptable. Gateway is not
+# expected to live long (it will be destroyed if there were no CI jobs within
+# last hour) and there is only a slight chance that we will encounter a
+# failure not handled either by systemd or by docker in that short time.
+
+[Unit]
+Description=Docker Hub caching proxy
+After=docker.service
+Requires=docker.service
+
+[Service]
+Environment=REMOTE_IMAGE=registry:2
+Environment=LOCAL_CONTAINER=dockerhub
+Environment=LOCAL_USER=1912:1954
+Environment=LOCAL_STORAGE=/dockerhub
+ExecStop=-/usr/bin/docker stop ${LOCAL_CONTAINER}
+ExecStop=-/usr/bin/docker rm ${LOCAL_CONTAINER}
+ExecStartPre=/bin/mkdir -p ${LOCAL_STORAGE}
+ExecStartPre=/bin/chown -R ${LOCAL_USER} ${LOCAL_STORAGE}
+ExecStartPre=-/usr/bin/docker stop ${LOCAL_CONTAINER}
+ExecStartPre=-/usr/bin/docker rm ${LOCAL_CONTAINER}
+ExecStart=/usr/bin/docker run \
+    --name ${LOCAL_CONTAINER} \
+    --env REGISTRY_PROXY_REMOTEURL=https://registry-1.docker.io \
+    --volume ${LOCAL_STORAGE}:/var/lib/registry \
+    --publish {{ inner_ip }}:5000:5000 \
+    --user ${LOCAL_USER} \
+    --restart unless-stopped \
+    ${REMOTE_IMAGE}
+TimeoutStartSec=0
+Restart=always
+
+[Install]
+WantedBy=default.target

build/template/runner.yml

@@ -53,6 +53,8 @@
         vars:
           new:
             storage-driver: overlay2
+            registry-mirrors:
+              - 'http://{{ gateway_ip }}:5000'
           old: '{{ docker_config.content|b64decode|from_json }}'
         copy:
           content: |

deploy/cloud-config/gateway.yml

@@ -9,6 +9,7 @@ write_files:
         hosts:
           localhost:
             inner_subnet: ${inner_subnet}
+            inner_ip: ${inner_ip}
 
 runcmd:
   - /usr/bin/make -C /etc/provision gateway

deploy/cloud-config/runner.yml

@@ -11,6 +11,7 @@ write_files:
       all:
         hosts:
           localhost:
+            gateway_ip: ${gateway_ip}
             gitlab_runner_token: ${gitlab_runner_token}
             gitlab_runner_tag: ${gitlab_runner_tag}
 

deploy/servers.tf

@@ -16,7 +16,7 @@ resource "yandex_compute_instance" "gateway" {
     auto_delete = true
     initialize_params {
       image_id = yandex_compute_image.base[0].id
-      size     = 10
+      size     = 25
     }
   }
   network_interface {
@@ -31,6 +31,7 @@ resource "yandex_compute_instance" "gateway" {
     serial-port-enable = 1
     user-data = templatefile("cloud-config/gateway.yml", {
       inner_subnet = var.inner_cidr[0],
+      inner_ip     = local.gateway_ip,
     })
   }
 }
@@ -64,6 +65,7 @@ resource "yandex_compute_instance" "runner" {
   metadata = {
     serial-port-enable = 1
     user-data = templatefile("cloud-config/runner.yml", {
+      gateway_ip          = local.gateway_ip,
       gitlab_runner_tag   = var.gitlab_runner_tag,
       gitlab_runner_token = var.gitlab_runner_token,
     })