Bug 1248095
Summary: | [docs] OSE 3.0 administrator guide: --insecure-registry value not explained | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Evgheni Dereveanchin <ederevea> |
Component: | Documentation | Assignee: | brice <bfallonf> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Vikram Goyal <vigoyal> |
Severity: | low | Docs Contact: | Vikram Goyal <vigoyal> |
Priority: | medium | ||
Version: | 3.0.0 | CC: | adellape, ederevea, jokerman, libra-onpremise-devel, mmccomas |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-09-23 23:09:07 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Evgheni Dereveanchin
2015-07-29 15:07:17 UTC
Just noted that there's "beta" in the URL but this is where this page redirects currently: https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/3.0/html/Administrator_Guide/index.html Evgheni, After finding more information, you're right, it's not correct to assume that that's the IP address field the reader will be using, so I've added a note box indicating they might need to change it. I've also added a link to the section of the docs about securing a docker registry. You can see the work in this PR: https://github.com/openshift/openshift-docs/pull/907 If there's anything else for this BZ, or if it's not exactly what you meant, please let me know. Thank you. That's all I wanted: to avoid any possible confusion. 172.30.0.0/16 is the default servicesSubnet as defined in a default master config file: https://github.com/openshift/openshift-docs/blame/master/admin_guide/master_node_configuration.adoc#L187 https://github.com/openshift/origin/blob/master/pkg/cmd/server/api/v1/types.go#L591 So when the integrated registry is deployed, the service will use that subnet. By following the prereqs as shown and setting --insecure-registry in the docker config to 172.30.0.0/16, we can be sure the integrated registry (which is insecure by default) will be trusted and usable. The integrated registry can later be secured (post-deployment) per the following steps, which includes instructions on removing --insecure-registry for this subnet at that time: https://docs.openshift.com/enterprise/3.0/admin_guide/install/docker_registry.html#securing-the-registry So basically --insecure-registry should match servicesSubnet (as long as the registry is insecure). serviceSubnet can be set during an advanced install using the openshift_master_portal_net variable[1] in the inventory file. Or it can be manually changed later, but if it changes, --insecure-registry should be changed on all hosts to match. The sample-app README[2] mentions the following: "These instructions assume you have not changed the kubernetes/openshift service subnet configuration from the default value of 172.30.0.0/16." We could include a similar sentiment in the prereq section and at that point include some context/link between --insecure-registry and servicesSubnet / openshift_master_portal_net info (which would be net-new content somewhere). [1] https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/tasks/main.yml#L45 [2] https://github.com/openshift/origin/tree/master/examples/sample-app#docker-changes Alex, thanks for the extra info. I tried to incorporate that into the PR. Let me know if the information was translated badly: https://github.com/openshift/openshift-docs/pull/907 Evgheni, Alex, thanks. Docs PR merged. |