Bug 1331191

Summary: Provide support for public docker registries
Product: OpenShift Container Platform Reporter: Stefanie Forrester <dakini>
Component: RFEAssignee: Alexey Gladkov <agladkov>
Status: CLOSED CURRENTRELEASE QA Contact: zhou ying <yinzhou>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.2.0CC: akostadi, aos-bugs, dakini, haowang, jliggitt, jmatthew, jokerman, maszulik, mfojtik, miminar, mmccomas, pweil
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-28 16:59:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1303130    

Description Stefanie Forrester 2016-04-28 00:11:38 UTC 
Description of problem:

In certain scenarios like INT/STG testing, QE and Ops need the ability to make the registry (or even just certain projects) world-readable and therefore available for public pulls.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

I've tried the following in an attempt to open the registry up publicly. But it hasn't had the intended effect:

oc policy add-role-to-group registry-viewer system:unauthenticated

Is there maybe some additional configuration that needs to happen for the registry-viewer role to be applied to unauthenticated users?
Comment 2 Maciej Szulik 2016-04-28 11:37:28 UTC 
I'm not sure we allow at all access to any kind of resources to unauthenticated users. David or Jordan may know that, guys?
Comment 5 Alexey Gladkov 2016-08-04 09:26:19 UTC 
We need to backport https://github.com/openshift/origin/pull/9887 for that.
Comment 6 Stefanie Forrester 2016-08-04 14:55:32 UTC 
Ops was able to work around this by deploying an apache frontend pod to provide the authentication for pulls. So we have a publicly-readable docker registry now, using the ose-docker-registry pod as the backend. So we no longer need this functionality from the builtin registry. Thanks,
Comment 7 Stefanie Forrester 2016-08-04 14:57:11 UTC 
I mean the authentication for *pushes, sorry. Pulls require no authentication on Ops's registry app.
Comment 10 zhou ying 2016-08-10 06:52:17 UTC 
Today only the INT has 3.3 env , but the route for docker-registry not work. Will verify this bug when env ready.
Comment 11 zhou ying 2016-08-10 10:02:46 UTC 
Confirmed with OCP3.3.0.17, the issue has fixed.
Check the ~/.docker/config.json, make sure no credentials from your dockercfg  related to your docker registry.

1)First pull image from docker-registry without the registry-viewer role, will pull failed:
docker pull 172.31.224.149:5000/zhouy/deployment-example
Using default tag: latest
Trying to pull repository 172.31.224.149:5000/zhouy/deployment-example ... 
Pulling repository 172.31.224.149:5000/zhouy/deployment-example
Error: image zhouy/deployment-example not found

2)Grant the registry-viewer role to system:anonymous user, then pull again, will pull succeed:

oc policy add-role-to-user registry-viewer system:anonymous

docker pull 172.31.224.149:5000/zhouy/deployment-example
Using default tag: latest
Trying to pull repository 172.31.224.149:5000/zhouy/deployment-example ... 
latest: Pulling from 172.31.224.149:5000/zhouy/deployment-example
a3ed95caeb02: Pull complete 
50438f3701c4: Pull complete 
Digest: sha256:ea9135488f323060cb18ab3ec06286cd49e4b3a611fce1a6a442651ecf421f99
Status: Downloaded newer image for 172.31.224.149:5000/zhouy/deployment-example:latest