Bug 1449415

Summary:	Missing equals sign in /etc/sysconfig/docker for the BLOCK_REGISTRY from OCP playbook
Product:	OpenShift Container Platform	Reporter:	Brennan Vincello <bvincell>
Component:	Cluster Version Operator	Assignee:	Scott Dodson <sdodson>
Status:	CLOSED NOTABUG	QA Contact:	Anping Li <anli>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	3.5.0	CC:	aos-bugs, bvincell, jokerman, mmccomas
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-05-23 16:39:42 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Brennan Vincello 2017-05-09 22:11:17 UTC

Description of problem:

Seeing same behavior in 3.4 / 3.5 versions.  We have set in /etc/ansible/hosts the value of a registry to block, initially a single repo (docker.io) and now updated to just be all.   Either way when the playbook runs it adds the entry with a space after the --block-registry and the value instead of an = sign.  As a result the registry does not actually get blocked from docker pulls.  After manually editing the file to put in the equals (=) sign and restarting docker, then the registries are blocked as expected.

Version-Release number of selected component (if applicable): OCP 3.4/5

How reproducible: Very

Steps to Reproduce:

1. Declare this in host file:
#/etc/ansible/hosts value
openshift_docker_blocked_registries=all
# or
openshift_docker_blocked_registries=docker.io

2. Run playbook:
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_4/upgrade.yml
# or
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade.yml

Actual results:

# /etc/sysconfig/docker value
BLOCK_REGISTRY='--block-registry all'
# or
BLOCK_REGISTRY='--block-registry docker.io'

Expected results:

# /etc/sysconfig/docker value
BLOCK_REGISTRY='--block-registry=all'
# or
BLOCK_REGISTRY='--block-registry=docker.io'

Additional info: thank you.

Comment 1 Scott Dodson 2017-05-10 01:13:17 UTC

The equals sign is not required. Can you provide the entire contents of /etc/sysconfig/docker and an example of pulling an image you expect not to be able pull based on current configuration?

# grep -v '#' /etc/sysconfig/docker
OPTIONS=' --selinux-enabled  --insecure-registry=172.40.0.0/16 --log-driver=journald'
DOCKER_CERT_PATH=/etc/docker
BLOCK_REGISTRY='--block-registry all'

[root@ose3-master ~]# docker pull centos
Using default tag: latest
Error response from daemon: No default registry configured.

[root@ose3-master ~]# docker pull docker.io/centos
Using default tag: latest
Trying to pull repository docker.io/library/centos ... 
All endpoints blocked.


[root@ose3-master ~]# sed -i /BLOCK_REGISTRY/d /etc/sysconfig/docker                                                                                                                           
[root@ose3-master ~]# systemctl restart docker                                                                                                                                                 
[root@ose3-master ~]# docker pull centos                                                                                                                                                       
Using default tag: latest
Trying to pull repository docker.io/library/centos ... 
latest: Pulling from docker.io/library/centos
93857f76ae30: Pull complete 
Digest: sha256:4eda692c08e0a065ae91d74e82fff4af3da307b4341ad61fa61771cc4659af60