Description of problem: When using the openshift_docker_additional_registries= variable in the installer, registry.access.redhat.com will be added despite additional registries being specified. And when using the openshift_docker_blocked_registries=all option, then it will still be added. Which means that even if all registries not explicitly listed are intended to be blacklisted, the installer will whitelist registry.access.redhat.com Version-Release number of selected component (if applicable): 3.4.1 How reproducible: always Steps to Reproduce: 1. Add appropriate local registries in openshift_docker_additional_registries= to ansible hosts file for the installer 2. Add openshift_docker_blocked_registries=all to the hosts file 3. run installer Actual results: There will be a --add-registry registry.access.redhat.com in the /etc/sysconfig/docker config file Expected results: No extra registry besides the ones specified in openshift_docker_additional_registries variable Additional info: While I understand the rationale for adding the enterprise registry if there's no other registries explicitly specified, I think it may be least-surprising to omit it once there are others added. But at the very least is should not get added when there's a block of =all
This looks like a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1419497.
(In reply to Marko Myllynen from comment #1) > This looks like a dupe of > https://bugzilla.redhat.com/show_bug.cgi?id=1419497. Close enough, same fundamental cause. The most significant problem here is that it's added and gets white listed despite the openshift_docker_blocked_registries=all directive which could be expected to disable it. But resolving 1419497 by simply not adding it any more would also resolve this issue. Maybe the severity on 1419597 should be raised? It's not only cosmetic - I set it as low due to working around it by cleaning it out in post-install, but as leaving the configured entry it in would potentially enable pulling of images in violation of both intent and possible organisational policy, it's not completely benign.
Reopening after further discussion about Bug #1480195.
Noted a further issue. Once you update to 7.4 you also get atomic-registries-1.18.1-3.1.git0705b1b.el7.x86_64 which seems to make the registries.service add registry.access.redhat.com as well, which might futher compound the issue as it will get added again DESPITE having stripped it out, blocked all, etc from the docker sysconfig file.
You can now set openshift_docker_ent_reg='' And the enterprise registry will not be added to the docker registries.
(In reply to Michael Gugino from comment #6) > And the enterprise registry will not be added to the docker registries. Marvellous, thanks, looking forward to using that!
Verified this bug with openshift-ansible-3.9.0-0.34.0.git.0.c7d9585.el7.noarch, and PASS. Setting the following options in inventory file: oreg_url=registry.reg-aws.openshift.com:443/openshift3/ose-${component}:${version} openshift_docker_additional_registries=registry.reg-aws.openshift.com:443 openshift_docker_blocked_registries=all openshift_docker_ent_reg='' registry.access.redhat.com would not be added into /etc/sysconfig/docker when openshift_docker_ent_reg=''. # cat /etc/sysconfig/docker <--snip--> ADD_REGISTRY='--add-registry registry.reg-aws.openshift.com:443' BLOCK_REGISTRY='--block-registry all' <--snip--> But just like what is mentioned in comment 5, if user update to 7.4, get a latest atomic-registries, which will install /etc/containers/registries.conf, in which registry.access.redhat.com is existing as a default value, it is also respected by docker, that would lead user still is able to pull image from registry.access.redhat.com. # cat /etc/containers/registries.conf <--snip--> [registries.search] registries = ['registry.access.redhat.com'] <--snip--> # rpm -qf /etc/containers/registries.conf atomic-registries-1.20.1-9.git436cf5d.el7.x86_64 If user is in this case, have to set openshift_docker_ent_reg="" and openshift_docker_use_etc_containers=true in inventory host file, that would make sure no registry.access.redhat.com is added into both conf file. Maybe we would make the installer be more intelligent, but not ask user have to set openshift_docker_use_etc_containers. Here I would move this bug to verified, if user is not stratified with the fix, pls assign it back.
Fixed in all versions of 3.9 and newer, will not backport. Fix: https://github.com/openshift/openshift-ansible/pull/6362/files#diff-90877efe325ca457cac9ff7838e909c8R5
*** Bug 1419497 has been marked as a duplicate of this bug. ***