cache docker + squid vm ou externe

2023-03-02 16:48:10 +01:00
parent 4c1e7bde33
commit aa3c77c29a
4 changed files with 59 additions and 20 deletions
--- a/files/customVM.sh.dist
+++ b/files/customVM.sh.dist
@ -1,14 +1,42 @@
 #!/bin/bash

-# Upstream proxy
-echo "cache_peer 192.168.0.121 parent 3128 0 no-query default
-acl all src 0.0.0.0/0.0.0.0
-http_access allow all
-never_direct allow all" >> /etc/squid/squid.conf
+PROXY="192.168.0.121:3128"
+REGISTRY="192.168.0.121:5000"

-service squid restart
+# Pour le proxy http/https (https sans cache) avec iptables
+cat >> /etc/rc.local <<EOF
+#!/bin/sh
+PROXY=${PROXY}
+iptables -t nat -A PREROUTING -p tcp -m tcp --dport 3142 -j DNAT --to \${PROXY}
+iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3142 -j DNAT --to \${PROXY}
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+EOF
+chmod +x /etc/rc.local
+echo "net.ipv4.conf.eth0.route_localnet=1" >> /etc/sysctl.conf
+sysctl -p
+# fin proxy

+# Pour le cache docker
+cat >> /etc/rc.local <<EOF
+REGISTRY=${REGISTRY}
+iptables -t nat -A PREROUTING -p tcp -m tcp --dport 5000 -j DNAT --to \${REGISTRY}
+EOF
+# fin cache docker
+
+
+bash /etc/rc.local

 # Un peu de customisation
 DEBIAN_FRONTEND=noninteractive apt-get install -y vim rsync
 rsync -a /vagrant/files/.emacs* /root/
+
+
+###
+# Une autre façon de router vers un autre proxy http/https upstream, si on veut que la VM fasse le cache
+###
+# Pour le proxy http/https (https sans cache) avec squid config
+#echo "cache_peer $(cut -d':' -f1 <<< $PROXY) parent $(cut -d':' -f2 <<< $PROXY) 0 no-query default
+#acl all src 0.0.0.0/0.0.0.0
+#http_access allow all
+#never_direct allow all" >> /etc/squid/squid.conf
+#service squid restart
--- a/files/snster-kaz/kaz/prod/provision.sh
+++ b/files/snster-kaz/kaz/prod/provision.sh
@ -66,6 +66,8 @@ proxy=$(/sbin/ip route | awk '/default/ { print $3 }' | head -1)
 sed -i -e "s/^proxy.*$/proxy=$proxy/" /usr/local/sbin/detect_proxy.sh
 #echo "export http_proxy=\"http://$proxy:3142\"" > /etc/profile.d/proxy.sh
 #echo "export https_proxy=\"http://$proxy:3142\"" >> /etc/profile.d/proxy.sh
+
+# Proxy pour les environnements durant les dockerbuilds
 mkdir /root/.docker
 echo "{
 \"proxies\":
@ -74,15 +76,18 @@ echo "{
   {
     \"httpProxy\": \"http://$proxy:3142\",
     \"httpsProxy\": \"http://$proxy:3142\",
-     \"noProxy\": \"*.sns,127.0.0.0/8,100.64.0.0/10\"
+     \"noProxy\": \"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
   }
 }
 }" > /root/.docker/config.json
-echo "http_proxy=\"http://$proxy:3142\"
-https_proxy=\"http://$proxy:3142\"
-" >> /etc/default/docker

-# On active btrfs+proxy pour docker
+# Proxy pour les docker pull -> commenté car pas de cache avec dockerhub
+# echo "http_proxy=\"http://$proxy:3142\"
+# https_proxy=\"http://$proxy:3142\"
+# no_proxy=\"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
+# " >> /etc/default/docker
+
+# On active btrfs+registry miroir pour docker
 cat >> /etc/docker/daemon.json <<EOF
 { "storage-driver": "btrfs",
 "registry-mirrors": ["http://$proxy:5000"] }
--- a/files/vm-provision.sh
+++ b/files/vm-provision.sh
@ -228,3 +228,6 @@ reboot
 # ssl_bump server-first all
 # ssl_bump stare all
 # sslproxy_cert_error deny all
+# refresh_pattern -i (/blobs/sha256)     1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims
+# refresh_pattern -i (/images/sha256)    1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims
+# refresh_pattern -i (/manifests/)       1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims