Red Hat Bugzilla – Bug 1248095
[docs] OSE 3.0 administrator guide: --insecure-registry value not explained
Last modified: 2015-09-23 19:09:07 EDT
Section Number and Name:
22.214.171.124. Software Prerequisites
Describe the issue:
Docker installation includes a step to add "--insecure-registry 172.30.0.0/16" to OPTIONS parameter of /etc/sysconfig/docker
There's however no explanation of whether this subnet definition should be left as is or adjusting according to the IP of the Master/nodes/etc
Suggestions for improvement:
Add description of which IP/netmask to use in this paragraph.
It's not explained why this is needed and how to install proper certificates into docker so that this insecure option can be avoided.
Just noted that there's "beta" in the URL but this is where this page redirects currently:
After finding more information, you're right, it's not correct to assume that that's the IP address field the reader will be using, so I've added a note box indicating they might need to change it. I've also added a link to the section of the docs about securing a docker registry. You can see the work in this PR:
If there's anything else for this BZ, or if it's not exactly what you meant, please let me know.
Thank you. That's all I wanted: to avoid any possible confusion.
172.30.0.0/16 is the default servicesSubnet as defined in a default master config file:
So when the integrated registry is deployed, the service will use that subnet. By following the prereqs as shown and setting --insecure-registry in the docker config to 172.30.0.0/16, we can be sure the integrated registry (which is insecure by default) will be trusted and usable. The integrated registry can later be secured (post-deployment) per the following steps, which includes instructions on removing --insecure-registry for this subnet at that time:
So basically --insecure-registry should match servicesSubnet (as long as the registry is insecure). serviceSubnet can be set during an advanced install using the openshift_master_portal_net variable in the inventory file. Or it can be manually changed later, but if it changes, --insecure-registry should be changed on all hosts to match.
The sample-app README mentions the following:
"These instructions assume you have not changed the kubernetes/openshift service subnet configuration from the default value of 172.30.0.0/16."
We could include a similar sentiment in the prereq section and at that point include some context/link between --insecure-registry and servicesSubnet / openshift_master_portal_net info (which would be net-new content somewhere).
Alex, thanks for the extra info. I tried to incorporate that into the PR. Let me know if the information was translated badly:
Evgheni, Alex, thanks. Docs PR merged.