Bug 1461465 - Don't add Red Hat registry when registry list explicitly specified or all are blocked
Don't add Red Hat registry when registry list explicitly specified or all are...
Status: NEW
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.4.1
All Linux
unspecified Severity medium
: ---
: 3.8.0
Assigned To: Scott Dodson
Johnny Liu
: Reopened, UpcomingRelease
Depends On:
Blocks: 1480195
  Show dependency treegraph
 
Reported: 2017-06-14 09:42 EDT by David Sundqvist
Modified: 2017-10-18 13:30 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-24 16:48:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Sundqvist 2017-06-14 09:42:07 EDT
Description of problem:
When using the 
openshift_docker_additional_registries=
variable in the installer, registry.access.redhat.com will be added despite additional registries being specified. 

And when using the 
openshift_docker_blocked_registries=all
option, then it will still be added. Which means that even if all registries not explicitly listed are intended to be blacklisted, the installer will whitelist registry.access.redhat.com


Version-Release number of selected component (if applicable):
3.4.1

How reproducible:
always

Steps to Reproduce:
1. Add appropriate local registries in openshift_docker_additional_registries= to ansible hosts file for the installer
2. Add openshift_docker_blocked_registries=all to the hosts file
3. run installer

Actual results:
There will be a --add-registry registry.access.redhat.com in the /etc/sysconfig/docker config file

Expected results:
No extra registry besides the ones specified in openshift_docker_additional_registries variable

Additional info:
While I understand the rationale for adding the enterprise registry if there's no other registries explicitly specified, I think it may be least-surprising to omit it once there are others added. But at the very least is should not get added when there's a block of =all
Comment 1 Marko Myllynen 2017-06-19 03:28:38 EDT
This looks like a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1419497.
Comment 2 David Sundqvist 2017-06-19 07:37:57 EDT
(In reply to Marko Myllynen from comment #1)
> This looks like a dupe of
> https://bugzilla.redhat.com/show_bug.cgi?id=1419497.

Close enough, same fundamental cause. The most significant problem here is that it's added and gets white listed despite the openshift_docker_blocked_registries=all directive which could be expected to disable it. But resolving 1419497 by simply not adding it any more would also resolve this issue. Maybe the severity on 1419597 should be raised?

It's not only cosmetic - I set it as low due to working around it by cleaning it out in post-install, but as leaving the configured entry it in would potentially enable pulling of images in violation of both intent and possible organisational policy, it's not completely benign.
Comment 4 Brenton Leanhardt 2017-08-28 10:05:02 EDT
Reopening after further discussion about Bug #1480195.
Comment 5 David Sundqvist 2017-10-17 09:01:03 EDT
Noted a further issue.

Once you update to 7.4 you also get atomic-registries-1.18.1-3.1.git0705b1b.el7.x86_64 which seems to make the registries.service add registry.access.redhat.com as well, which might futher compound the issue as it will get added again DESPITE having stripped it out, blocked all, etc from the docker sysconfig file.
Comment 6 Michael Gugino 2017-10-17 09:59:31 EDT
You can now set

openshift_docker_ent_reg=''

And the enterprise registry will not be added to the docker registries.
Comment 7 David Sundqvist 2017-10-17 10:07:04 EDT
(In reply to Michael Gugino from comment #6)

> And the enterprise registry will not be added to the docker registries.

Marvellous, thanks, looking forward to using that!

Note You need to log in before you can comment on or make changes to this bug.