Bug 1646975
| Summary: | OpenShift 3.9 docker-client should not need to have direct access to openstack-api url to allow pushing images to registry (swift storage) | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Christian Stark <cstark> |
| Component: | Image Registry | Assignee: | Ben Parees <bparees> |
| Status: | CLOSED NOTABUG | QA Contact: | Wenjing Zheng <wzheng> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.9.0 | CC: | agladkov, aos-bugs, obulatov |
| Target Milestone: | --- | ||
| Target Release: | 3.9.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-11-07 15:13:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I assume this is a result of the content redirect feature, which you should be able to disable in the registry: https://docs.docker.com/registry/configuration/#redirect It looks like you can disable it by customizing the registry configuration as described in the storage section here: https://docs.okd.io/latest/install_config/registry/extended_registry_configuration.html#docker-registry-configuration-reference-storage or you can disable TempURLs on the swift server. |
Description of problem: If you see the following docker push it is failing because the docker-client does not have direct access to openstack-api url [cloud-user@machine-bastion-ocp39 ~]$ sudo docker tag 524931f2aa84 ${OC_REGISTRY}/${OC_PROJECT}/customer-mongodb-base-backup-5:latest [cloud-user@machine-bastion-ocp39 ~]$ sudo docker push ${OC_REGISTRY}/${OC_PROJECT}/customer-mongodb-base-backup-5:latest The push refers to a repository [docker-registry-default.user-00-mp-dev.customergroup.net:443/user-test/customer-mongodb-base-backup-5] 411dddedf759: Preparing 411dddedf759: Pushing 3.072 kB d8fac45b1e39: Pushing [==================================================>] 10.24 kB ffa09d5f4cdd: Pushing [==================================================>] 3.584 kB 8f174b4109bb: Pushing [==================================================>] 3.072 kB f1a76905cc88: Waiting 3089daecff6f: Waiting 273d61014330: Waiting 1afb15ed6241: Waiting dial tcp 10.246.48.254:8080: getsockopt: connection refused [cloud-user@machine-bastion-ocp39 ~]$ [cloud-user@machine-bastion-ocp39 ~]$ [cloud-user@machine-bastion-ocp39 ~]$ host 10.246.48.254 254.98.248.10.in-addr.arpa domain name pointer opencloud-eg-test-3.customergroup.net. [cloud-user@machine-bastion-ocp39 ~]$ The same push will work if access to 10.246.48.254:8080 will be granted. We don't see any relevant option to change this: https://github.com/docker/distribution/blob/master/registry/storage/driver/swift/swift.go#L62-L84 https://github.com/ncw/swift/blob/master/auth.go#L32-L43 Version-Release number of selected component (if applicable): OpenShift 3.9 How reproducible: only in customer env, tcpdumps will be attached Expected results: should not connect directly to the swift backed this is something customer does not want to allow