Red Hat Bugzilla – Bug 1461465
Don't add Red Hat registry when registry list explicitly specified or all are blocked
Last modified: 2017-10-18 13:30:31 EDT
Description of problem:
When using the
variable in the installer, registry.access.redhat.com will be added despite additional registries being specified.
And when using the
option, then it will still be added. Which means that even if all registries not explicitly listed are intended to be blacklisted, the installer will whitelist registry.access.redhat.com
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Add appropriate local registries in openshift_docker_additional_registries= to ansible hosts file for the installer
2. Add openshift_docker_blocked_registries=all to the hosts file
3. run installer
There will be a --add-registry registry.access.redhat.com in the /etc/sysconfig/docker config file
No extra registry besides the ones specified in openshift_docker_additional_registries variable
While I understand the rationale for adding the enterprise registry if there's no other registries explicitly specified, I think it may be least-surprising to omit it once there are others added. But at the very least is should not get added when there's a block of =all
This looks like a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1419497.
(In reply to Marko Myllynen from comment #1)
> This looks like a dupe of
Close enough, same fundamental cause. The most significant problem here is that it's added and gets white listed despite the openshift_docker_blocked_registries=all directive which could be expected to disable it. But resolving 1419497 by simply not adding it any more would also resolve this issue. Maybe the severity on 1419597 should be raised?
It's not only cosmetic - I set it as low due to working around it by cleaning it out in post-install, but as leaving the configured entry it in would potentially enable pulling of images in violation of both intent and possible organisational policy, it's not completely benign.
Reopening after further discussion about Bug #1480195.
Noted a further issue.
Once you update to 7.4 you also get atomic-registries-1.18.1-3.1.git0705b1b.el7.x86_64 which seems to make the registries.service add registry.access.redhat.com as well, which might futher compound the issue as it will get added again DESPITE having stripped it out, blocked all, etc from the docker sysconfig file.
You can now set
And the enterprise registry will not be added to the docker registries.
(In reply to Michael Gugino from comment #6)
> And the enterprise registry will not be added to the docker registries.
Marvellous, thanks, looking forward to using that!