Bug 1646975 - OpenShift 3.9 docker-client should not need to have direct access to openstack-api url to allow pushing images to registry (swift storage)
Summary: OpenShift 3.9 docker-client should not need to have direct access to openstac...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.9.z
Assignee: Ben Parees
QA Contact: Wenjing Zheng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-06 12:57 UTC by Christian Stark
Modified: 2021-12-10 18:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-07 15:13:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Christian Stark 2018-11-06 12:57:25 UTC 
Description of problem:

If you see the following docker push it is failing because the docker-client
does not have direct access to openstack-api url

[cloud-user@machine-bastion-ocp39 ~]$ sudo docker tag 524931f2aa84 ${OC_REGISTRY}/${OC_PROJECT}/customer-mongodb-base-backup-5:latest
[cloud-user@machine-bastion-ocp39 ~]$ sudo docker push ${OC_REGISTRY}/${OC_PROJECT}/customer-mongodb-base-backup-5:latest
The push refers to a repository [docker-registry-default.user-00-mp-dev.customergroup.net:443/user-test/customer-mongodb-base-backup-5]
411dddedf759: Preparing
411dddedf759: Pushing 3.072 kB
d8fac45b1e39: Pushing [==================================================>] 10.24 kB
ffa09d5f4cdd: Pushing [==================================================>] 3.584 kB
8f174b4109bb: Pushing [==================================================>] 3.072 kB
f1a76905cc88: Waiting
3089daecff6f: Waiting

273d61014330: Waiting
1afb15ed6241: Waiting
dial tcp 10.246.48.254:8080: getsockopt: connection refused
[cloud-user@machine-bastion-ocp39 ~]$
[cloud-user@machine-bastion-ocp39 ~]$
[cloud-user@machine-bastion-ocp39 ~]$ host 10.246.48.254
254.98.248.10.in-addr.arpa domain name pointer opencloud-eg-test-3.customergroup.net.
[cloud-user@machine-bastion-ocp39 ~]$


The same push will work if access to 10.246.48.254:8080 will be granted.


We don't see any relevant option to change this: https://github.com/docker/distribution/blob/master/registry/storage/driver/swift/swift.go#L62-L84
https://github.com/ncw/swift/blob/master/auth.go#L32-L43



Version-Release number of selected component (if applicable):

OpenShift 3.9

How reproducible:

only in customer env, tcpdumps will be attached 


Expected results:

should not connect directly to the swift backed
this is something customer does not want to allow
Comment 4 Ben Parees 2018-11-06 14:54:41 UTC 
I assume this is a result of the content redirect feature, which you should be able to disable in the registry:

https://docs.docker.com/registry/configuration/#redirect

It looks like you can disable it by customizing the registry configuration as described in the storage section here:
https://docs.okd.io/latest/install_config/registry/extended_registry_configuration.html#docker-registry-configuration-reference-storage
Comment 5 Alexey Gladkov 2018-11-06 15:25:24 UTC 
or you can disable TempURLs on the swift server.
Note You need to log in before you can comment on or make changes to this bug.