Merge pull request #3 from rpardini/master

feat(merge-upstream): merge upstream changes

Author: salanki

.github/workflows/master-latest.yaml

@@ -36,8 +36,8 @@ jobs:
         uses: docker/login-action@v1
         with:
           registry: ghcr.io
-          username: ${{ secrets.DOCKER_GITHUB_USERNAME }}
-          password: ${{ secrets.DOCKER_GITHUB_PAT }}
+          username: ${{ github.repository_owner }} # github username or org
+          password: ${{ secrets.GITHUB_TOKEN }}    # github actions builtin token. repo has to have pkg access.
 
       # the arm64 is of course much slower due to qemu, so build and push amd64 **first**
       # due to the way manifests work, the gap between this and the complete push below

.github/workflows/tags.yaml

@@ -49,8 +49,8 @@ jobs:
         uses: docker/login-action@v1
         with:
           registry: ghcr.io
-          username: ${{ secrets.DOCKER_GITHUB_USERNAME }}
-          password: ${{ secrets.DOCKER_GITHUB_PAT }}
+          username: ${{ github.repository_owner }} # github username or org
+          password: ${{ secrets.GITHUB_TOKEN }}    # github actions builtin token. repo has to have pkg access.
 
       # the arm64 is of course much slower due to qemu, so build and push amd64 **first**
       # due to the way manifests work, the gap between this and the complete push below

Docker-Desktop-Windows.md

@@ -0,0 +1,66 @@
+# Configure Docker Desktop on Windows to use the proxy and trust its certificate
+
+1. Let's say you set up the proxy on host `192.168.66.72`. Get the certificate using a browser (go to <http://192.168.66.72:3128/ca.crt>) and save it as a file (e.g., to `d:\ca.crt`)
+
+1. Add the certificate to Windows:
+
+   1. Double click the certificate
+   1. Chose to _Install certificate..._, then click _Next_
+   1. Chose _Current user_, then click _Next_
+   1. Select option _Place all certificates in the following store_, click _browse_, and select _Trusted Root Certification Authorities_
+   1. Proceed with Ok and confirm to install the certificate
+
+   If you are not using the WSL2 backend for Docker, then restart Docker Desktop and skip the next step.
+
+1. If you are using WSL2 for Docker, then you need to add the certificate to WSL too:
+
+   1. Open a terminal
+
+   1. Check the name of the WSL distribution:
+
+      ```
+      PS C:\> wsl --list
+      Windows Subsystem for Linux Distributions:
+      docker-desktop (Default)
+      docker-desktop-data
+      ```
+
+      The distribution we are looking for is _docker-desktop_. If you installed another distribution, such as Ubuntu, and configured Docker to use that, and proceed with that distribution instead.
+
+   1. Get a shell into WSL
+
+      ```
+      PS C:\> wsl --distribution docker-desktop
+      XXXYYYZZZ:/tmp/docker-desktop-root/mnt/host/c#
+      ```
+
+   1. Copy the certificate into WSL and import it
+
+      Note: The directory and the command below are for the _docker-desktop_ WSL distribution. On other systems you might need to tweak the commands a little, but they seem to be the same for [Ubuntu](https://www.pmichaels.net/2020/12/29/add-certificate-into-wsl/) and [Debian](https://github.com/microsoft/WSL/issues/3161#issue-320777324) as well.
+
+      ```
+      XXXYYYZZZ:/tmp/docker-desktop-root/mnt/host/c# cp /mnt/host/d/ca.crt /usr/local/share/ca-certificates/
+      XXXYYYZZZ:/tmp/docker-desktop-root/mnt/host/c# update-ca-certificates
+      WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
+      ```
+
+      Don't mind the warning, the operation still succeeded.
+
+   1. We are done with WSL, you can `exit` this shell
+
+1. Configure the proxy in Docker Desktop:
+
+   1. Open Docker Desktop settings
+   1. Go to _Resources/Proxies_
+   1. Enable the proxy and set `http://192.168.66.72:3128` as both the HTTP and HTTPS URL.
+
+1. Done. Verify that pulling works:
+
+   ```
+   # execute this in a Windows shell, not in WSL
+   docker pull hello-world
+   ```
+
+   You can check the logs of the proxy to confirm that it was used.
+
+   If pulling does not work and complains about not trusting the certificate then Docker and/or the WSL distribution might need a restart. You might try restarting Docker, or you can restart Windows too to force WSL to restart.

Dockerfile

@@ -1,7 +1,7 @@
 # We start from my nginx fork which includes the proxy-connect module from tEngine
 # Source is available at https://github.com/rpardini/nginx-proxy-connect-stable-alpine
 # This is already multi-arch!
-ARG BASE_IMAGE="docker.io/rpardini/nginx-proxy-connect-stable-alpine:nginx-1.18.0-alpine-3.12.1"
+ARG BASE_IMAGE="docker.io/rpardini/nginx-proxy-connect-stable-alpine:nginx-1.20.1-alpine-3.12.7"
 # Could be "-debug"
 ARG BASE_IMAGE_SUFFIX=""
 FROM ${BASE_IMAGE}${BASE_IMAGE_SUFFIX}
@@ -97,6 +97,11 @@ ENV MANIFEST_CACHE_DEFAULT_TIME="1h"
 # Should we allow actions different than pull, default to false.
 ENV ALLOW_PUSH="false"
 
+# If push is allowed, buffering requests can cause issues on slow upstreams.
+# If you have trouble pushing, set this to false first, then fix remainig timouts.
+# Default is true to not change default behavior.
+ENV PROXY_REQUEST_BUFFERING="true"
+
 # Timeouts
 # ngx_http_core_module
 ENV SEND_TIMEOUT="60s"

README.md

@@ -87,6 +87,10 @@ for this to work it requires inserting a root CA certificate into system trusted
   - `hostname`s listed here should be listed in the REGISTRIES environment as well, so they can be intercepted.
 - Env `AUTH_REGISTRIES_DELIMITER` to change the separator between authentication info. By default, a space: "` `". If you use keys that contain spaces (as with Google Cloud Registry), you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=";;;"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:user1:pass1;;;registry2.com:user2:pass2`.
 - Env `AUTH_REGISTRY_DELIMITER` to change the separator between authentication info *parts*. By default, a colon: "`:`". If you use keys that contain single colons, you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=":::"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:::user1:::pass1 registry2.com:::user2:::pass2`.
+- Env `PROXY_REQUEST_BUFFERING`: If push is allowed, buffering requests can cause issues on slow upstreams.
+If you have trouble pushing, set this to `false` first, then fix remainig timeouts.
+Default is `true` to not change default behavior.
+ENV PROXY_REQUEST_BUFFERING="true"
 - Timeouts ENVS - all of them can pe specified to control different timeouts, and if not set, the defaults will be the ones from `Dockerfile`. The directives will be added into `http` block.:
   - SEND_TIMEOUT : see [send_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout)
   - CLIENT_BODY_TIMEOUT : see [client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout)
@@ -176,6 +180,87 @@ docker run --rm --name docker_registry_proxy -it \
        rpardini/docker-registry-proxy:0.6.2
 ```
 
+### Kind Cluster
+
+[Kind](https://github.com/kubernetes-sigs/kind/) is a tool for running local Kubernetes clusters using Docker container “nodes”.
+
+Because cluster nodes are Docker containers, docker-registry-proxy needs to be in the same docker network.
+
+Example joining the _kind_ docker network and using hostname _docker-registry-proxy_ as hostname :
+
+```bash
+docker run --rm --name docker_registry_proxy -it \
+       --net kind --hostname docker-registry-proxy \
+       -p 0.0.0.0:3128:3128 -e ENABLE_MANIFEST_CACHE=true \
+       -v $(pwd)/docker_mirror_cache:/docker_mirror_cache \
+       -v $(pwd)/docker_mirror_certs:/ca \
+       rpardini/docker-registry-proxy:0.6.2
+```
+
+Now deploy your Kind cluster and then automatically configure the nodes with the following script :
+
+```bash
+#!/bin/sh
+KIND_NAME=${1-kind}
+SETUP_URL=http://docker-registry-proxy:3128/setup/systemd
+pids=""
+for NODE in $(kind get nodes --name "$KIND_NAME"); do
+  docker exec "$NODE" sh -c "\
+      curl $SETUP_URL \
+      | sed s/docker\.service/containerd\.service/g \
+      | sed '/Environment/ s/$/ \"NO_PROXY=127.0.0.0\/8,10.0.0.0\/8,172.16.0.0\/12,192.168.0.0\/16\"/' \
+      | bash" & pids="$pids $!" # Configure every node in background
+done
+wait $pids # Wait for all configurations to end
+```
+
+### K3D Cluster
+
+[K3d](https://k3d.io/) is similar to Kind but is based on k3s. In order to run with its registry you need to setup settings like shown below.
+
+```sh
+# docker-registry-proxy
+docker run -d --name registry-proxy --restart=always \
+-v /tmp/registry-proxy/mirror_cache:/docker_mirror_cache \
+-v /tmp/registry-proxy/certs:/ca \
+rpardini/docker-registry-proxy:0.6.4
+
+export PROXY_HOST=registry-proxy
+export PROXY_PORT=3128
+export NOPROXY_LIST="localhost,127.0.0.1,0.0.0.0,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.local,.svc"
+
+cat <<EOF > /etc/k3d-proxy-config.yaml
+apiVersion: k3d.io/v1alpha3
+kind: Simple
+name: mycluster
+servers: 1
+agents: 0
+options:
+    k3d:
+       wait: true
+       timeout: "60s"
+    kubeconfig:
+       updateDefaultKubeconfig: true
+       switchCurrentContext: true
+env:
+  - envVar: HTTP_PROXY=http://$PROXY_HOST:$PROXY_PORT
+    nodeFilters:
+      - all
+  - envVar: HTTPS_PROXY=http://$PROXY_HOST:$PROXY_PORT
+    nodeFilters:
+      - all
+  - envVar: NO_PROXY='$NOPROXY_LIST'
+    nodeFilters:
+      - all
+volumes:
+  - volume: $REGISTRY_DIR/docker_mirror_certs/ca.crt:/etc/ssl/certs/registry-proxy-ca.pem
+    nodeFilters:
+      - all
+EOF
+
+k3d cluster create --config /etc/k3d-proxy-config.yaml
+```
+
 ## Configuring the Docker clients using Docker Desktop for Mac
 
 Separate instructions for Mac clients available in [this dedicated Doc Desktop for Mac document](Docker-for-Mac.md).
@@ -256,9 +341,9 @@ docker run --rm --name docker_registry_proxy -it
 - If you authenticate to a private registry and pull through the proxy, those images will be served to any client that can reach the proxy, even without authentication. *beware*
 - Repeat, **this will make your private images very public if you're not careful**.
 - ~~**Currently you cannot push images while using the proxy** which is a shame. PRs welcome.~~ **SEE `ALLOW_PUSH` ENV FROM USAGE SECTION.**
-- Setting this on Linux is relatively easy. 
-  - On Mac and Windows the CA-certificate part will be very different but should work in principle.
-  - Please send PRs with instructions for Windows and Mac if you succeed!
+- Setting this on Linux is relatively easy.
+  - On Mac follow the instructions [here](Docker-for-Mac.md).
+  - On Windows follow the instructions [here](Docker-Desktop-Windows.md).
 
 ### Why not use Docker's own registry, which has a mirror feature?
 
@@ -280,7 +365,7 @@ Yeah. Docker Inc should do it. So should NPM, Inc. Wonder why they don't. 😼
 ### TODO:
 
 - [x] Basic Docker-for-Mac set-up instructions
-- [ ] Basic Docker-for-Windows set-up instructions. 
+- [x] Basic Docker-for-Windows set-up instructions. 
 - [ ] Test and make auth work with quay.io, unfortunately I don't have access to it (_hint, hint, quay_)
 - [x] Hide the mitmproxy building code under a Docker build ARG.
 - [ ] "Developer Office" proxy scenario, where many developers on a fast LAN share a proxy for bandwidth and speed savings (already works for pulls, but messes up pushes, which developers tend to use a lot)

entrypoint.sh

@@ -254,6 +254,20 @@ echo -e "\nTimeout configs: ---"
 cat /etc/nginx/nginx.timeouts.config.conf
 echo -e "---\n"
 
+# Request buffering
+echo "" > /etc/nginx/proxy.request.buffering.conf
+if [[ "a${PROXY_REQUEST_BUFFERING}" == "afalse" ]]; then
+  cat << EOD > /etc/nginx/proxy.request.buffering.conf
+  proxy_max_temp_file_size 0;
+  proxy_request_buffering off;
+  proxy_http_version 1.1;
+EOD
+fi
+
+echo -e "\nRequest buffering: ---"
+cat /etc/nginx/proxy.request.buffering.conf
+echo -e "---\n"
+
 # Upstream SSL verification.
 echo "" > /etc/nginx/docker.verify.ssl.conf
 if [[ "a${VERIFY_SSL}" == "atrue" ]]; then

nginx.conf

@@ -227,6 +227,9 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
 
         proxy_read_timeout 900;
 
+        # Request buffering
+        include /etc/nginx/proxy.request.buffering.conf;
+
         # Use cache locking, with a huge timeout, so that multiple Docker clients asking for the same blob at the same time
         # will wait for the first to finish instead of doing multiple upstream requests.
         proxy_cache_lock on;