Bug 1461465 - Don't add Red Hat registry when registry list explicitly specified or all are blocked
Summary: Don't add Red Hat registry when registry list explicitly specified or all are...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.4.1
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
: 3.9.0
Assignee: Michael Gugino
QA Contact: Johnny Liu
URL:
Whiteboard:
: 1419497 (view as bug list)
Depends On:
Blocks: 1480195 1541226
TreeView+ depends on / blocked
 
Reported: 2017-06-14 13:42 UTC by David Sundqvist
Modified: 2018-05-21 18:49 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1541226 (view as bug list)
Environment:
Last Closed: 2018-05-21 18:49:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description David Sundqvist 2017-06-14 13:42:07 UTC
Description of problem:
When using the 
openshift_docker_additional_registries=
variable in the installer, registry.access.redhat.com will be added despite additional registries being specified. 

And when using the 
openshift_docker_blocked_registries=all
option, then it will still be added. Which means that even if all registries not explicitly listed are intended to be blacklisted, the installer will whitelist registry.access.redhat.com


Version-Release number of selected component (if applicable):
3.4.1

How reproducible:
always

Steps to Reproduce:
1. Add appropriate local registries in openshift_docker_additional_registries= to ansible hosts file for the installer
2. Add openshift_docker_blocked_registries=all to the hosts file
3. run installer

Actual results:
There will be a --add-registry registry.access.redhat.com in the /etc/sysconfig/docker config file

Expected results:
No extra registry besides the ones specified in openshift_docker_additional_registries variable

Additional info:
While I understand the rationale for adding the enterprise registry if there's no other registries explicitly specified, I think it may be least-surprising to omit it once there are others added. But at the very least is should not get added when there's a block of =all

Comment 1 Marko Myllynen 2017-06-19 07:28:38 UTC
This looks like a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1419497.

Comment 2 David Sundqvist 2017-06-19 11:37:57 UTC
(In reply to Marko Myllynen from comment #1)
> This looks like a dupe of
> https://bugzilla.redhat.com/show_bug.cgi?id=1419497.

Close enough, same fundamental cause. The most significant problem here is that it's added and gets white listed despite the openshift_docker_blocked_registries=all directive which could be expected to disable it. But resolving 1419497 by simply not adding it any more would also resolve this issue. Maybe the severity on 1419597 should be raised?

It's not only cosmetic - I set it as low due to working around it by cleaning it out in post-install, but as leaving the configured entry it in would potentially enable pulling of images in violation of both intent and possible organisational policy, it's not completely benign.

Comment 4 Brenton Leanhardt 2017-08-28 14:05:02 UTC
Reopening after further discussion about Bug #1480195.

Comment 5 David Sundqvist 2017-10-17 13:01:03 UTC
Noted a further issue.

Once you update to 7.4 you also get atomic-registries-1.18.1-3.1.git0705b1b.el7.x86_64 which seems to make the registries.service add registry.access.redhat.com as well, which might futher compound the issue as it will get added again DESPITE having stripped it out, blocked all, etc from the docker sysconfig file.

Comment 6 Michael Gugino 2017-10-17 13:59:31 UTC
You can now set

openshift_docker_ent_reg=''

And the enterprise registry will not be added to the docker registries.

Comment 7 David Sundqvist 2017-10-17 14:07:04 UTC
(In reply to Michael Gugino from comment #6)

> And the enterprise registry will not be added to the docker registries.

Marvellous, thanks, looking forward to using that!

Comment 9 Johnny Liu 2018-01-31 08:19:52 UTC
Verified this bug with openshift-ansible-3.9.0-0.34.0.git.0.c7d9585.el7.noarch, and PASS.

Setting the following options in inventory file:
oreg_url=registry.reg-aws.openshift.com:443/openshift3/ose-${component}:${version}
openshift_docker_additional_registries=registry.reg-aws.openshift.com:443
openshift_docker_blocked_registries=all
openshift_docker_ent_reg=''

registry.access.redhat.com would not be added into /etc/sysconfig/docker when openshift_docker_ent_reg=''.
 
# cat /etc/sysconfig/docker
<--snip-->
ADD_REGISTRY='--add-registry registry.reg-aws.openshift.com:443'
BLOCK_REGISTRY='--block-registry all'
<--snip-->


But just like what is mentioned in comment 5, if user update to 7.4, get a latest atomic-registries, which will install /etc/containers/registries.conf, in which registry.access.redhat.com is existing as a default value, it is also respected by docker, that would lead user still is able to pull image from registry.access.redhat.com.

# cat /etc/containers/registries.conf
<--snip-->
[registries.search]
registries = ['registry.access.redhat.com']
<--snip-->

# rpm -qf /etc/containers/registries.conf
atomic-registries-1.20.1-9.git436cf5d.el7.x86_64

If user is in this case, have to set openshift_docker_ent_reg="" and  openshift_docker_use_etc_containers=true in inventory host file, that would make sure no registry.access.redhat.com is added into both conf file.


Maybe we would make the installer be more intelligent, but not ask user have to set openshift_docker_use_etc_containers.  Here I would move this bug to verified, if user is not stratified with the fix, pls assign it back.

Comment 11 Michael Gugino 2018-05-21 18:49:07 UTC
Fixed in all versions of 3.9 and newer, will not backport.

Fix: https://github.com/openshift/openshift-ansible/pull/6362/files#diff-90877efe325ca457cac9ff7838e909c8R5

Comment 12 Scott Dodson 2018-05-21 18:49:54 UTC
*** Bug 1419497 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.