Excerpts from Sam Yaple's message of 2017-05-16 14:11:18 +0000: > I would like to bring up a subject that hasn't really been discussed in > this thread yet, forgive me if I missed an email mentioning this. > > What I personally would like to see is a publishing infrastructure to allow > pushing built images to an internal infra mirror/repo/registry for > consumption of internal infra jobs (deployment tools like kolla-ansible and > openstack-ansible). The images built from infra mirrors with security > turned off are perfect for testing internally to infra. > > If you build images properly in infra, then you will have an image that is > not security checked (no gpg verification of packages) and completely > unverifiable. These are absolutely not images we want to push to > DockerHub/quay for obvious reasons. Security and verification being chief > among them. They are absolutely not images that should ever be run in > production and are only suited for testing. These are the only types of > images that can come out of infra. > > Thanks, > SamYaple
This sounds like an implementation detail of option 3? I think not signing the images does help indicate that they're not meant to be used in production environments. Is some sort of self-hosted solution a reasonable compromise between building images in test jobs (which I understand makes them take extra time) and publishing images to public registries (which is the thing I object to)? If self-hosting is reasonable, then we can work out which tool to use to do it as a second question. Doug __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev