Bug 1331191 - Provide support for public docker registries
Summary: Provide support for public docker registries
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Alexey Gladkov
QA Contact: zhou ying
URL:
Whiteboard:
Depends On:
Blocks: OSOPS_V3
TreeView+ depends on / blocked
 
Reported: 2016-04-28 00:11 UTC by Stefanie Forrester
Modified: 2016-09-28 16:59 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-28 16:59:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Stefanie Forrester 2016-04-28 00:11:38 UTC 
Description of problem:

In certain scenarios like INT/STG testing, QE and Ops need the ability to make the registry (or even just certain projects) world-readable and therefore available for public pulls.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

I've tried the following in an attempt to open the registry up publicly. But it hasn't had the intended effect:

oc policy add-role-to-group registry-viewer system:unauthenticated

Is there maybe some additional configuration that needs to happen for the registry-viewer role to be applied to unauthenticated users?
Comment 2 Maciej Szulik 2016-04-28 11:37:28 UTC 
I'm not sure we allow at all access to any kind of resources to unauthenticated users. David or Jordan may know that, guys?
Comment 5 Alexey Gladkov 2016-08-04 09:26:19 UTC 
We need to backport https://github.com/openshift/origin/pull/9887 for that.
Comment 6 Stefanie Forrester 2016-08-04 14:55:32 UTC 
Ops was able to work around this by deploying an apache frontend pod to provide the authentication for pulls. So we have a publicly-readable docker registry now, using the ose-docker-registry pod as the backend. So we no longer need this functionality from the builtin registry. Thanks,
Comment 7 Stefanie Forrester 2016-08-04 14:57:11 UTC 
I mean the authentication for *pushes, sorry. Pulls require no authentication on Ops's registry app.
Comment 10 zhou ying 2016-08-10 06:52:17 UTC 
Today only the INT has 3.3 env , but the route for docker-registry not work. Will verify this bug when env ready.
Comment 11 zhou ying 2016-08-10 10:02:46 UTC 
Confirmed with OCP3.3.0.17, the issue has fixed.
Check the ~/.docker/config.json, make sure no credentials from your dockercfg  related to your docker registry.

1)First pull image from docker-registry without the registry-viewer role, will pull failed:
docker pull 172.31.224.149:5000/zhouy/deployment-example
Using default tag: latest
Trying to pull repository 172.31.224.149:5000/zhouy/deployment-example ... 
Pulling repository 172.31.224.149:5000/zhouy/deployment-example
Error: image zhouy/deployment-example not found

2)Grant the registry-viewer role to system:anonymous user, then pull again, will pull succeed:

oc policy add-role-to-user registry-viewer system:anonymous

docker pull 172.31.224.149:5000/zhouy/deployment-example
Using default tag: latest
Trying to pull repository 172.31.224.149:5000/zhouy/deployment-example ... 
latest: Pulling from 172.31.224.149:5000/zhouy/deployment-example
a3ed95caeb02: Pull complete 
50438f3701c4: Pull complete 
Digest: sha256:ea9135488f323060cb18ab3ec06286cd49e4b3a611fce1a6a442651ecf421f99
Status: Downloaded newer image for 172.31.224.149:5000/zhouy/deployment-example:latest
Note You need to log in before you can comment on or make changes to this bug.