Bug 1703866
| Summary: | Add support for pulling container images from registries that require authentication | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | PURANDHAR SAIRAM MANNIDI <pmannidi> | |
| Component: | openstack-tripleo-heat-templates | Assignee: | Alex Schultz <aschultz> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Sasha Smolyak <ssmolyak> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 13.0 (Queens) | CC: | aschultz, dbecker, emacchi, jappleii, jhajyahy, mburns, mburrows, mcornea, morazi, mparkins, pnguyen, sandyada, sasha, sbaker, slinaber | |
| Target Milestone: | --- | Keywords: | TestOnly, Triaged, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | puppet-tripleo-8.4.1-25.el7ost openstack-tripleo-heat-templates-8.3.1-80.el7ost | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1670419 | |||
| : | 1750446 (view as bug list) | Environment: | ||
| Last Closed: | 2019-10-08 10:49:25 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1670419 | |||
| Bug Blocks: | 1750446 | |||
|
Comment 2
Alex Schultz
2019-05-06 20:19:46 UTC
The authentication support which has been added cannot be backported because it is podman specific and podman support was only added in OSP-15. For OSP-13, it should be possible to make the required "docker login" calls before running "openstack overcloud container image prepare --push-destination=192.168.24.1:8787 ...". Other than the extra docker login calls, the flow should be the same as the documentation[1] [1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/director_installation_and_usage/configuring-a-container-image-source For the record, I've seen docker login added to a PreConfig task to have it occur prior to the deployment for the overcloud nodes. Perhaps we might need to provide a basic template for this. (In reply to Alex Schultz from comment #5) > For the record, I've seen docker login added to a PreConfig task to have it > occur prior to the deployment for the overcloud nodes. Perhaps we might need > to provide a basic template for this. That is another option which could be considered. However it might be easier for the customer to only require docker login on the undercloud before the container prepare, because from that point on the images are served from the undercloud registry where auth isn't required for the overcloud nodes. Yes that would be much easier to just have the user use docker login and sync to the undercloud. To test, you can enable authentication on the undercloud after you follow the procedure to use the undercloud as a registry. https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/director_installation_and_usage/configuring-a-container-image-source#Configuring-Registry_Details-Local Enable auth configuration for docker-distribution: cat <<EOF | sudo tee -a /etc/docker-distribution/registry/config.yml auth: htpasswd: realm: basic-realm path: /etc/docker-distribution/auth EOF sudo htpasswd -Bbc /etc/docker-distribution/auth admin admin sudo systemctl restart docker-distribution Then enable login via parameter_default: cat > ~/container-login.yaml <<EOF parameter_defaults: ContainerImageRegistryLogin: true ContainerImageRegistryCredentials: '192.168.24.1:8787': admin: admin EOF According to our records, this should be resolved by puppet-tripleo-8.4.1-27.el7ost. This build is available now. According to our records, this should be resolved by openstack-tripleo-heat-templates-8.3.1-87.el7ost. This build is available now. Verified on 13 -p 2019-10-01.1 |