Merge "Add option to force docker.io addresses to IPv4"

2025-03-11 22:34:14 +00:00 · 2025-03-11 22:34:14 +00:00 · b6ca515cff
commit b6ca515cff
parent a6cb2ac72c 7dfa6006e5
4 changed files with 34 additions and 0 deletions
--- a/playbooks/roles/install-docker/README.rst
+++ b/playbooks/roles/install-docker/README.rst
@ -25,3 +25,15 @@ such as:
   Which update channel to use for upstream docker. The two choices are
   ``stable``, which is the default and updates quarterly, and ``edge``
   which updates monthly.
+
+.. zuul:rolevar:: force_docker_io_ipv4
+   :default: False
+
+   Force all communication to docker.io over IPv4.  We do this as rate-limiting
+   is per IPv4 address as opposed to a /64 with IPv6.
+
+.. zuul:rolevar:: docker_registry_hostlist
+   :default: ['registry-1.docker.io', 'docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com', 'docker.io']
+
+   List of hosts to query for IPv4 addresses and add to /etc/hosts.  Used when
+   ``force_docker_io_ipv4`` is ``True``
--- a/playbooks/roles/install-docker/defaults/main.yaml
+++ b/playbooks/roles/install-docker/defaults/main.yaml
@ -1,3 +1,9 @@
 use_upstream_docker: True
 docker_update_channel: stable
 with_python_compose: True
+force_docker_io_ipv4: False
+# Taken from: https://docs.docker.com/desktop/setup/allow-list/
+docker_registry_hostlist:
+- registry-1.docker.io
+- docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com
+- docker.io
--- a/playbooks/roles/install-docker/tasks/main.yaml
+++ b/playbooks/roles/install-docker/tasks/main.yaml
@ -36,3 +36,18 @@
    name: logrotate
  vars:
    logrotate_file_name: '/var/log/containers/*.log'
+
+- name: Force registry actions for docker over IPv4
+  block:
+  - name: Resolve IPv4 Addresses for Docker resources
+    shell: for domain in {{ docker_registry_hostlist|join(' ') }} ; do host -t a "$domain" ; done
+    register: docker_io_dns
+
+  - name: Update to /etc/hosts according to force_docker_io_ipv4
+    lineinfile:
+      path: /etc/hosts
+      line: "{{ (item|split(' '))[-1] }}\t{{ (item|split(' '))[0] }}"
+      mode: "0644"
+      state: "present"
+    loop: "{{ docker_io_dns.stdout_lines }}"
+  when: force_docker_io_ipv4|bool
--- a/playbooks/zuul/templates/group_vars/all.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/all.yaml.j2
@ -8,6 +8,7 @@ bastion_ipv4: {{ bastion_ipv4 }}
 bastion_ipv6: {{ bastion_ipv6 }}
 {% endif %}
 bastion_public_key: {{ bastion_public_key }}
+force_docker_io_ipv4: true
 iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}
 iptables_egress_rules:
  - -o lo -j ACCEPT