Bug 1751809

Summary: authenticated registries to pull ceph images may fail if overcloud pulls image directly from registry and doesn't use intermediate registry like undercloud
Product: Red Hat OpenStack Reporter: John Fulton <johfulto>
Component: openstack-tripleo-heat-templatesAssignee: Francesco Pantano <fpantano>
Status: CLOSED ERRATA QA Contact: Yogev Rabl <yrabl>
Severity: medium Docs Contact:
Priority: medium    
Version: 15.0 (Stein)CC: amcleod, aschoen, ceph-eng-bugs, elicohen, fpantano, gcharot, gfidente, gmeno, mburns, nthomas, nweinber, ykaul
Target Milestone: z2Keywords: Triaged, ZStream
Target Release: 15.0 (Stein)   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: openstack-tripleo-heat-templates-10.6.2-0.20191202200455.41d9f8a.el8ost Doc Type: Enhancement
Doc Text:
With this update, the credentials that you supply in the `ContainerImageRegistryCredentials` parameter pass to ceph-ansible automatically if the registry name matches the registry name in the `ceph_namespace` parameter.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-05 12:00:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John Fulton 2019-09-12 15:45:44 UTC
As described in docbug 1723969, customers can use ContainerImageRegistryCredentials to have their undercloud authenticate to access containers used in the overcloud. This results the ceph container being download to the undercloud and then during overcloud deployment the overcloud may pull that container without authentication. However, if the customer chooses not to pull the containers to the undercloud first and instead have the overcloud directly pull the container during deployment the openstack containers will download without a problem but during the ceph container download they might hit bug 1748859 or 1748911. This should be addressed by the following ceph-ansible PR:


This is bug tracks updating TripleO so that if ContainerImageRegistryCredentials is set, then it passes the appropriate overrides to the parameters introduced in the above PR. It should result in ceph-ansible being able to use those paramters to authenticate and then directly pull the ceph container.

Comment 5 John Fulton 2019-10-31 12:40:38 UTC
What version of ceph-ansible should be used with what version of of tht to not hit this problem anymore?

Comment 10 errata-xmlrpc 2020-03-05 12:00:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.