Bug 1637785 - [Bug] Blocking registry in crio.conf
Summary: [Bug] Blocking registry in crio.conf
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Containers
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.1.0
Assignee: Mrunal Patel
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks: 1186913
TreeView+ depends on / blocked
 
Reported: 2018-10-10 06:02 UTC by Selim Jahangir
Modified: 2019-06-04 10:40 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:40:48 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:40:56 UTC

Description Selim Jahangir 2018-10-10 06:02:46 UTC
Description of problem:
Client wanted to block registry via /etc/crio/crio.conf in OpenShift 3.10 but there is no option available.

Version-Release number of selected component (if applicable):

cri-o-1.10.6-1.rhaos3.10.git56d7d9a.el7.x86_64

How reproducible:


Steps to Reproduce:
1. install cri-o 
2. cat /etc/crio/crio.conf
[crio.image]

insecure_registries = [
""
]

registries = [
"registry.access.redhat.com"
]


3. used /etc/containers/registries.conf

# Docker only
[registries.block]
registries = ['github.com','docker.io']
            
4. crictl pull docker.io/busybox 

Actual results:
- Was successfuly download the image busybox

Expected results:
- Should fail to pull images from docker.io as it was blocked via /etc/containers/regsitries.conf

Additional info:

Comment 1 Antonio Murdaca 2019-01-21 15:38:24 UTC
work here https://github.com/kubernetes-sigs/cri-o/pull/2028

Comment 2 Mrunal Patel 2019-02-19 22:20:13 UTC
Fix has been merged and will be available in crio 1.12.6

Comment 3 Mrunal Patel 2019-02-20 20:22:26 UTC
This is fixed in cri-o 1.12.6.

Comment 5 weiwei jiang 2019-02-21 07:57:43 UTC
Verified on 
[core@ip-10-0-7-99 ~]$ cat /etc/os-release
NAME="Red Hat CoreOS"
VERSION="4.0"
ID="rhcos"
ID_LIKE="rhel fedora"
VERSION_ID="4.0"
PRETTY_NAME="Red Hat CoreOS 4.0"
ANSI_COLOR="0;31"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat 7"
REDHAT_BUGZILLA_PRODUCT_VERSION="4.0"
REDHAT_SUPPORT_PRODUCT="Red Hat"
REDHAT_SUPPORT_PRODUCT_VERSION="4.0"
OSTREE_VERSION=47.326
[core@ip-10-0-7-99 ~]$ rpm -qa|grep -i cri-o
cri-o-1.12.6-1.rhaos4.0.git2f0cb0d.el7.x86_64


with following steps:
[core@ip-10-0-7-99 ~]$ cat /etc/containers/registries.conf | grep -v ^$ |grep -v ^#
[registries.search]
registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.centos.org']
[registries.insecure]
registries = []
[registries.block]
registries = []
[core@ip-10-0-7-99 ~]$ sudo crictl pull docker.io/busybox
Image is up to date for docker.io/library/busybox@sha256:4415a904b1aca178c2450fd54928ab362825e863c0ad5452fd020e92f7a6a47e
[core@ip-10-0-7-99 ~]$ sudo crictl images
IMAGE                       TAG                 IMAGE ID            SIZE
docker.io/library/busybox   latest              d8233ab899d41       1.42MB

[core@ip-10-0-7-99 ~]$ cat /etc/containers/registries.conf | grep -v ^$ |grep -v ^#
[registries.search]
registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.centos.org']
[registries.insecure]
registries = []
[registries.block]
registries = ['docker.io']
[core@ip-10-0-7-99 ~]$ sudo crictl pull docker.io/busybox                                                                                                                                                                                                                      
FATA[0000] pulling image failed: rpc error: code = Unknown desc = cannot use "docker.io/busybox" because it's blocked

Comment 8 errata-xmlrpc 2019-06-04 10:40:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.