Additional container registry mirror [Was: Re: Sunsetting the Docker `openwrtorg` org (not `openwrt` org)]

[Petr Štetiar]

Paul Spooren <mail at aparcar.org> [2023-04-15 02:02:24]:

Hi,

> I’d simply disable it instead of no longer updating it, any other opinions?

fine with me, thanks for taking care. I would simply announce it in several
places, that there is a plan to sunset that namespace in 3-6 months, thus
being nice and giving everyone some time to adjust their workflows.

BTW I've recently experienced following from Hetzner.de ephemeral VPS in their
Helsinki DC with IP address within AS24940:

 WARNING: Failed to pull image with policy "if-not-present": Error response
 from daemon: error parsing HTTP 403 response body: invalid character '<'
 looking for beginning of value: "<html><body><h1>403 Forbidden</h1>\nSince
 Docker is a US company, we must comply with US export control regulations. In
 an effort to comply with these, we now block all IP addresses that are located
 in Cuba, Iran, North Korea, Republic of Crimea, Sudan, and Syria. If you are
 not in one of these cities, countries, or regions and are blocked, please
 reach out to https://hub.docker.com/support/contact/\n</body></html>\n"
 (manager.go:237:1s)

>From docker.com support I've got a response, that they're using maxmind.com
service for this purpose and that Hetzner.de should fix that, but they don't
fully understand the situation and/or don't care.

Anyway, I'm seeing more and more such issues recently with Cloudflare/GCP/AWS
as well, probably using similar IP flagging service, so perhaps we should
consider using some additional container registry as a backup/mirror? So if
the pull from one registry doesn't work, then folks could try a different one.

I've not done any prior research about all viable options yet, but quay.io
looks so far as my favorite option. Any objections/ideas?

Cheers,

Petr