Bug 1248095 - [docs] OSE 3.0 administrator guide: --insecure-registry value not explained
[docs] OSE 3.0 administrator guide: --insecure-registry value not explained
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: brice
Vikram Goyal
Vikram Goyal
Depends On:
  Show dependency treegraph
Reported: 2015-07-29 11:07 EDT by Evgheni Dereveanchin
Modified: 2015-09-23 19:09 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-09-23 19:09:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Evgheni Dereveanchin 2015-07-29 11:07:17 EDT
Document URL: 

Section Number and Name: Software Prerequisites
 Installing Docker

Describe the issue: 
Docker installation includes a step to add "--insecure-registry" to OPTIONS parameter of /etc/sysconfig/docker

There's however no explanation of whether this subnet definition should be left as is or adjusting according to the IP of the Master/nodes/etc

Suggestions for improvement: 
Add description of which IP/netmask to use in this paragraph.

Additional information: 
It's not explained why this is needed and how to install proper certificates into docker so that this insecure option can be avoided.
Comment 1 Evgheni Dereveanchin 2015-07-29 11:10:58 EDT
Just noted that there's "beta" in the URL but this is where this page redirects currently:

Comment 3 brice 2015-08-24 01:44:01 EDT

After finding more information, you're right, it's not correct to assume that that's the IP address field the reader will be using, so I've added a note box indicating they might need to change it. I've also added a link to the section of the docs about securing a docker registry. You can see the work in this PR:


If there's anything else for this BZ, or if it's not exactly what you meant, please let me know.
Comment 4 Evgheni Dereveanchin 2015-08-24 02:29:08 EDT
Thank you. That's all I wanted: to avoid any possible confusion.
Comment 5 Alex Dellapenta 2015-08-24 11:33:24 EDT is the default servicesSubnet as defined in a default master config file:



So when the integrated registry is deployed, the service will use that subnet. By following the prereqs as shown and setting --insecure-registry in the docker config to, we can be sure the integrated registry (which is insecure by default) will be trusted and usable. The integrated registry can later be secured (post-deployment) per the following steps, which includes instructions on removing --insecure-registry for this subnet at that time:


So basically --insecure-registry should match servicesSubnet (as long as the registry is insecure). serviceSubnet can be set during an advanced install using the openshift_master_portal_net variable[1] in the inventory file. Or it can be manually changed later, but if it changes, --insecure-registry should be changed on all hosts to match.

The sample-app README[2] mentions the following:

"These instructions assume you have not changed the kubernetes/openshift service subnet configuration from the default value of"

We could include a similar sentiment in the prereq section and at that point include some context/link between --insecure-registry and servicesSubnet / openshift_master_portal_net info (which would be net-new content somewhere).

[1] https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/tasks/main.yml#L45

[2] https://github.com/openshift/origin/tree/master/examples/sample-app#docker-changes
Comment 6 brice 2015-08-25 01:08:27 EDT
Alex, thanks for the extra info. I tried to incorporate that into the PR. Let me know if the information was translated badly:

Comment 7 brice 2015-08-26 00:41:16 EDT
Evgheni, Alex, thanks. Docs PR merged.

Note You need to log in before you can comment on or make changes to this bug.