Joe is relatively new to his job. He has been contributing to a new service in the Flubber project and was asked to create a container for it. His container integrates with the "Bounce" service. He's been pulling the flubber/bounce image anonomously from an internal Docker registry but didn't know anything else about the registry. He tried to push to the registry the image he was working on but got 401 Unauthorized. Curious, he loaded the registry URL in the browser and was redirected to a login page. His corporate single sign-on credentials worked!
He browsed a huge, flat list of images but it was too big to sort through. He noticed a filter field and typed "flu". A dynamic list of all of the "flubber" images was displayed. He clicked the Flubber project link and noticed a list of project admins. He recognized Amy's name and sent her an email asking how to get his image pushed into the registry.
While he waited to hear back from Amy he decided to try creating his own project to put his work in progress. It said there were no images in his project so he selected "Create image". He noticed he could select checkboxes for "hidden" and "private". The "what's this?" context help caused him to choose "hidden" so it wouldn't be displayed in a list to all the other developers--it was a "work in progress". He didn't select "private" since he wanted his team lead or anyone else to be able to pull the image and try it out.
With the project and image created using the web UI, he tried to push the image he build on his laptop. Again, 401 Unauthorized. He suspected he needed to login. Back in the web UI he eventually clicked his username in the upper right corner of the UI. There he found a command displayed, docker login -u 5e7t18x6y0 -p 5e7t18x6y0 registry.acmecorp.com. He pasted that into the terminal and retried the docker push. Success! Back in the web UI he saw his image now had a tag associated with it. He assumed since he marked the image "hidden" that only he could see it listed.
Amy replied to his email. As one of the admins of Project Flubber she was able to create the image Joe requested. For this project namespace she wasn't going to grant any users access to push from their laptop. She explained how all release candidate images needed to be build with their automated build service that had gates for testing. In her email she cc'd Sally, who maintains automation, and asked her to set up a Jenkins job to build Joe's image using the service account token that she sent to Sally in a private message.
Any is a technical lead and one of the maintainers of the Flubber codebase. She values clarity for her team through technical process so she doesn't have to maintain process documents that go out of date and explain things over and over again. Before the registry was made available to her team she was always dealing with communication and process issues:
- Where can I get the latest build of Flubber images?
- Where can I get the released images to test what customers have installed?
- The build is broken again because someone pushed an image from their laptop. Can you delete it?
- I saw in a demo someone using an image named
joe/bounce. Is that the "official" Flubber Bounce service? How can I tell?
Automation, registry role-based access control and self service has greatly improved the situation.