Bug 1689230
Summary: | openshift_docker_blocked_registries is not blocking registries | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Shivkumar Ople <sople> |
Component: | Installer | Assignee: | Joseph Callen <jcallen> |
Installer sub component: | openshift-ansible | QA Contact: | Weihua Meng <wmeng> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | unspecified | ||
Priority: | unspecified | CC: | gpei, wmeng |
Version: | 3.11.0 | ||
Target Milestone: | --- | ||
Target Release: | 3.11.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openshift-ansible-3.11.102-1.git.0.16a8aac.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-26 09:07:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Shivkumar Ople
2019-03-15 13:28:56 UTC
Please, whenever possible, include actual inputs and outputs rather than describing them which is open to misinterpretation. Reviewing the code this will populate the values into /etc/sysconfig/docker by default rather than /etc/containers/registries.conf. Can you confirm that's the case and that the settings defined therein are taking effect? The output of `docker info` will illustrate how exactly docker is configured. Hello, (In reply to Scott Dodson from comment #1) > Please, whenever possible, include actual inputs and outputs rather than > describing them which is open to misinterpretation. > > Reviewing the code this will populate the values into /etc/sysconfig/docker > by default rather than /etc/containers/registries.conf. Can you confirm > that's the case and that the settings defined therein are taking effect? > The output of `docker info` will illustrate how exactly docker is configured. Yes, we can confirm that's the case. --add-registry registry.redhat.io <--- This value should not be there in ADD_REGISTRY, after assigning "all" to "openshift_docker_blocked_registries" this variable. In this case, it's assigned in the below manner. ~~~~ ADD_REGISTRY='--add-registry <internal-artifactory> --add-registry docker-registry.default.svc:5000 --add-registry registry.redhat.io' BLOCK_REGISTRY='--block-registry all' INSECURE_REGISTRY='--insecure-registry <internal-artifactory>' ~~~~ Thank you Ok, we append that for all installs where openshift_deployment_type == 'openshift-enterprise'. I guess it makes sense to only do this when (openshift_deployment_type == 'openshift-enterprise' && oreg_url matches 'registry.redhat.io'). Can you please set an appropriate severity/priority based on your customer's opinion of this matter? It will then be worked on based on PM Score ordering. 1. The PR is not good. https://github.com/openshift/openshift-ansible/pull/11390 oreg_url is optional, for installation, if oreg_url is not set and openshift_docker_blocked_registries=all install will fail as the registry is blocked to pull images 2. I think the logic would be something like: when openshift_docker_blocked_registries=all, all registries other than (listed in openshift_docker_additional_registries plus registry in oreg_url) are blocked. if oreg_url not set and openshift_deployment_type=openshift-enterprise, default registry(registry.redhat.io) is allowed, unless explicitily listed in openshift_docker_blocked_registries. PR: https://github.com/openshift/openshift-ansible/pull/11565 Build: openshift-ansible-3.11.112-1 Failed. openshift-ansible-3.11.119-1.git.0.c9a8ebf.el7 oreg_url=registry.reg-aws.openshift.com:443/openshift3/ose-${component}:${version} openshift_docker_insecure_registries=brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888,virt-openshift-05.lab.eng.nay.redhat.com:5000,virt-openshift-05.lab.eng.nay.redhat.com:5001,registry.reg-aws.openshift.com:443,asb-registry.usersys.redhat.com:5000 openshift_docker_blocked_registries=all "Jun 17 05:13:57 ip-172-18-8-21.ec2.internal atomic-openshift-node[13414]: E0617 05:13:57.028197 13414 kuberuntime_manager.go:646] createPodSandbox for pod \"master-api-ip-172-18-8-21.ec2.internal_kube-system(9d066f84b20195c767ec4ed9d7ac3ba2)\" failed: rpc error: code = Unknown desc = All endpoints blocked.", [root@ip-172-18-8-21 ~]# cat /etc/containers/registries.conf # Ansible managed # This is a system-wide configuration file used to # keep track of registries for various container backends. # It adheres to TOML format and does not support recursive # lists of registries. # The default location for this configuration file is /etc/containers/registries.conf. # The only valid categories are: 'registries.search', 'registries.insecure', # and 'registries.block'. [registries.search] registries = [] # If you need to access insecure registries, add the registry's fully-qualified name. # An insecure registry is one that does not have a valid SSL certificate or only does HTTP. [registries.insecure] registries = ["brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888", "virt-openshift-05.lab.eng.nay.redhat.com:5000", "virt-openshift-05.lab.eng.nay.redhat.com:5001", "registry.reg-aws.openshift.com:443", "asb-registry.usersys.redhat.com:5000"] # If you need to block pull access from a registry, uncomment the section below # and add the registries fully-qualified name. # # Docker only [registries.block] registries = ["all"] [root@ip-172-18-8-21 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE [root@ip-172-18-8-21 ~]# docker pull asd Using default tag: latest Error response from daemon: No configured registry to pull from. [root@ip-172-18-8-21 ~]# docker pull registry.reg-aws.openshift.com:443/openshift3/ose-node:v3.11 Trying to pull repository registry.reg-aws.openshift.com:443/openshift3/ose-node ... All endpoints blocked. Fixed. openshift-ansible-3.11.119-1.git.0.c9a8ebf.el7 Be aware that when openshift_docker_blocked_registries=all set, if oreg_url is specified, must set the registry used in oreg_url to openshift_docker_additional_registries, or install will fail due to registry blocked. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1605 |