This looks like a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1419497.

(In reply to Marko Myllynen from comment #1)
> This looks like a dupe of
> https://bugzilla.redhat.com/show_bug.cgi?id=1419497.

Close enough, same fundamental cause. The most significant problem here is that it's added and gets white listed despite the openshift_docker_blocked_registries=all directive which could be expected to disable it. But resolving 1419497 by simply not adding it any more would also resolve this issue. Maybe the severity on 1419597 should be raised?

It's not only cosmetic - I set it as low due to working around it by cleaning it out in post-install, but as leaving the configured entry it in would potentially enable pulling of images in violation of both intent and possible organisational policy, it's not completely benign.

Reopening after further discussion about Bug #1480195.

Noted a further issue.

Once you update to 7.4 you also get atomic-registries-1.18.1-3.1.git0705b1b.el7.x86_64 which seems to make the registries.service add registry.access.redhat.com as well, which might futher compound the issue as it will get added again DESPITE having stripped it out, blocked all, etc from the docker sysconfig file.

You can now set

openshift_docker_ent_reg=''

And the enterprise registry will not be added to the docker registries.

(In reply to Michael Gugino from comment #6)

> And the enterprise registry will not be added to the docker registries.

Marvellous, thanks, looking forward to using that!

Verified this bug with openshift-ansible-3.9.0-0.34.0.git.0.c7d9585.el7.noarch, and PASS.

Setting the following options in inventory file:
oreg_url=registry.reg-aws.openshift.com:443/openshift3/ose-${component}:${version}
openshift_docker_additional_registries=registry.reg-aws.openshift.com:443
openshift_docker_blocked_registries=all
openshift_docker_ent_reg=''

registry.access.redhat.com would not be added into /etc/sysconfig/docker when openshift_docker_ent_reg=''.
 
# cat /etc/sysconfig/docker
<--snip-->
ADD_REGISTRY='--add-registry registry.reg-aws.openshift.com:443'
BLOCK_REGISTRY='--block-registry all'
<--snip-->


But just like what is mentioned in comment 5, if user update to 7.4, get a latest atomic-registries, which will install /etc/containers/registries.conf, in which registry.access.redhat.com is existing as a default value, it is also respected by docker, that would lead user still is able to pull image from registry.access.redhat.com.

# cat /etc/containers/registries.conf
<--snip-->
[registries.search]
registries = ['registry.access.redhat.com']
<--snip-->

# rpm -qf /etc/containers/registries.conf
atomic-registries-1.20.1-9.git436cf5d.el7.x86_64

If user is in this case, have to set openshift_docker_ent_reg="" and  openshift_docker_use_etc_containers=true in inventory host file, that would make sure no registry.access.redhat.com is added into both conf file.


Maybe we would make the installer be more intelligent, but not ask user have to set openshift_docker_use_etc_containers.  Here I would move this bug to verified, if user is not stratified with the fix, pls assign it back.

Fixed in all versions of 3.9 and newer, will not backport.

Fix: https://github.com/openshift/openshift-ansible/pull/6362/files#diff-90877efe325ca457cac9ff7838e909c8R5

*** Bug 1419497 has been marked as a duplicate of this bug. ***