Hide Forgot
Document URL: https://access.redhat.com/documentation/en/openshift-enterprise/version-3.2/installation-and-configuration/#install-config-install-docker-registry Section Number and Name: 2.7.2.2.1 Describe the issue: Or, to attach an existing NFS volume to the registry: oc volume deploymentconfigs/docker-registry \ --add --overwrite --name=registry-storage --mount-path=/registry \ --source='{"nfs": { "server": "<fqdn>", "path": "/path/to/export"}}' When you try to do this without adding scc privileges the docker registry fails without any real good reason why. Suggestions for improvement: After the Or line noted above suggesting adding something like. Note: Mounting an nfs share requires privileged security context to be set on the registry oadm policy add-scc-to-user privileged system:serviceaccount:default:registry Additional information: Seems like the oc volume command should do that for us automatically maybe. Regardless seems like an error should be logged to better help determine the underlying issue. Two scripts to create/delete registry. Note you might have to edit scc oc edit scc privileged #for full cleanup [root@m01-useast1a-c001 ~]# cat create_registry.sh #!/bin/bash echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"registry"}}' | oc create -n default -f - #oadm policy add-scc-to-user privileged registry oadm policy add-scc-to-user privileged system:serviceaccount:default:registry oadm registry --config=/etc/origin/master/admin.kubeconfig \ --service-account=registry \ --images='registry.access.redhat.com/openshift3/ose-${component}:${version}' \ --selector='region=primary,zone=east' oc volume deploymentconfigs/docker-registry \ --add --overwrite --name=registry-storage --mount-path=/registry \ --source='{"nfs": { "server": "10.0.2.172", "path": "/"}}' [root@m01-useast1a-c001 ~]# cat delete_registry.sh oc delete dc/docker-registry oc delete svc/docker-registry oc delete sa/registry for i in $(oc get secrets | grep registry | awk '{print $1}') do echo "deleting secret/$i" oc delete secret/$i done
I'm curious if ansible registry setup has capabilities to handle this? Will have to look.
We do this automatically for 3.1 versions: https://github.com/openshift/openshift-ansible/blob/master/playbooks/common/openshift-cluster/openshift_hosted.yml#L42-L49 -TASK where we add the the registry and router SA to priv scc: https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_serviceaccounts/tasks/main.yml#L27-L34 In 3.3 does the `oadm router` command add its SA to the right SCC or is it bootstrapped? (I also might be missing somthing in the installer that does it only for the router) This is a DOCS issue most likely as the registry can run as restricted but if you wish to directly mount a volume not using a PV or PVC then you will need to add the SA of the registry to a SCC that has the permissions to do so. Instead of adding it to privledged we should add it to hostmount-anyuid # oadm policy add-scc-to-user hostmount-anyuid \ system:serviceaccount:default:registry The release note that describes what changed with SCC and volumes : https://docs.openshift.com/enterprise/3.2/release_notes/ose_3_2_release_notes.html#ose-32-security