A stupid question, can one push a docker registry ...
# generala
average-breakfast-91545
06/15/2023, 2:26 PMA stupid question, can one push a docker registry that's marked skip_push? There are images that engineers should not be able to push, but it would be nice to have them in the same repo, packaged in the same way.
h
high-yak-85899
06/15/2023, 2:31 PMI’ll let others speak to Pants capability, but would recommend consider handling this at the registry with permissions controls. We do that with our artifact storage system so that only the proper people can store things; not just folks who happen to know the right commands.
a
average-breakfast-91545
06/15/2023, 2:31 PMI have permissions set on the repo, but I'd like the build not to fail to publish if I do
pants publish ::average-breakfast-91545
06/15/2023, 2:32 PMI could just push that image manually from CI, but wondered if there were a neater way
c
curved-television-6568
06/15/2023, 2:40 PMif the config is in
pants.tomlpants.ci.tomlenv()docker_image(skip_push=bool(int(env("MY_FLAG", "1"))))a
average-breakfast-91545
06/15/2023, 2:40 PMThat's fair. I could overwrite the registry config in pants.ci.toml
average-breakfast-91545
06/15/2023, 2:40 PMGood shout!
👍 1
c
curved-television-6568
06/15/2023, 2:40 PMactually, I think ther’s env support for values in the
pants.tomla
average-breakfast-91545
06/15/2023, 2:41 PMThere is, but I found it a bit funky. The straight replacement is neater I think, Easier to grok when I break it again
c
curved-television-6568
06/15/2023, 2:42 PMfair enough 🙂
h
high-yak-85899
06/15/2023, 3:47 PMshould not be able to pushI was going off this. Even with the solution above, the person who should not be able to push can easily inspect the build file and figure out how to push.
👍 1
a
average-breakfast-91545
06/15/2023, 3:47 PMIt was good advice!
average-breakfast-91545
06/15/2023, 4:15 PMI think I can't have two docker registries with the same address? That makes this hard again.
https://github.com/bobthemighty/pants-docker-registry-collision shows the problem. I'd like for the image "should-push" to push, but the other image to not.
If i change the address of the other registry, it works as expected, so I'm guessing the address is used to work out what to do with the images. I might go take a look at the docker backend to see if it's easily fixable.
average-breakfast-91545
06/15/2023, 4:16 PM Copy code
7:16:30.90 [INFO] Completed: Building docker image <http://12345679123.dkr.ecr.us-east-1.amazonaws.com/no-push:latest|12345679123.dkr.ecr.us-east-1.amazonaws.com/no-push:latest>
17:16:30.90 [INFO] Packaged no-push.docker-info.json
17:16:30.91 [INFO] Completed: Building docker image <http://12345679123.dkr.ecr.us-east-1.amazonaws.com/should-push-dev:latest|12345679123.dkr.ecr.us-east-1.amazonaws.com/should-push-dev:latest>
17:16:30.91 [INFO] Packaged should-push.docker-info.json
- <http://12345679123.dkr.ecr.us-east-1.amazonaws.com/no-push:latest|12345679123.dkr.ecr.us-east-1.amazonaws.com/no-push:latest> skipped (by `skip_push` on registry @prod).
- <http://12345679123.dkr.ecr.us-east-1.amazonaws.com/should-push-dev:latest|12345679123.dkr.ecr.us-east-1.amazonaws.com/should-push-dev:latest> skipped (by `skip_push` on registry @prod).average-breakfast-91545
06/15/2023, 4:38 PMPlausibly, I should use a target filter here instead.
average-breakfast-91545
06/15/2023, 5:02 PMYep, that works - add a tag to the target, disable In pants.toml, re-enable in pants.ci.toml, use a single registry for both.
c
curved-television-6568
06/15/2023, 5:33 PMoh, there’s likely some assumption that the registry address is unique… don’t mind if there’s an issue filed for that.
a
average-breakfast-91545
06/15/2023, 5:34 PMFiled, but I think my use-case is better handled with a tag, because I don't actually want to build an image that i'm not going to use.
👍 1
2 Views