Description of problem: Undercloud deployment with containers from authenticated remote registry fails with unable to retrieve auth token: invalid username/password . containers-prepare-parameter.yaml: parameter_defaults: ContainerImagePrepare: - set: ceph_image: default_organization-ceph_containers-rhceph-4_0-rhel8 ceph_namespace: $namespace ceph_tag: latest name_prefix: default_organization-osp15_containers- name_suffix: '' namespace: $namespace neutron_driver: ovn tag: 15.0 tag_from_label: '{version}-{release}' excludes: [ceph] - push_destination: true set: ceph_image: default_organization-ceph_containers-rhceph-4_0-rhel8 ceph_namespace: $namespace ceph_tag: latest includes: [ceph] ContainerImageRegistryCredentials: $namespace: admin: changeme Version-Release number of selected component (if applicable): openstack-tripleo-common-10.7.1-0.20190525000410.71c099f.el8ost.noarch python3-tripleo-common-10.7.1-0.20190525000410.71c099f.el8ost.noarch openstack-tripleo-common-containers-10.7.1-0.20190525000410.71c099f.el8ost.noarch How reproducible: 100% Steps to Reproduce: 1. Deploy undercloud with container images pulled from a remote authenticated registry(without using --local-push-destination option) Actual results: Deployment fails with invalid username/password errors. Expected results: Credentials specified in containers-prepare-parameter.yaml are used and deployment succeeds. Additional info: Attaching full log.
For now it is required that push_destination:true is set for every entry when the registry needs authentication. We have lots of different tooling calling podman pull on the nodes (paunch, container-puppet.py, pacemaker, etc) so it will be a bit of work to ensure that "podman login" is called in every case. The following should work, and I'd strongly encourage push_destination:true to be used whenever possible. containers-prepare-parameter.yaml: parameter_defaults: ContainerImagePrepare: - push_destination: true set: ceph_image: default_organization-ceph_containers-rhceph-4_0-rhel8 ceph_namespace: $namespace ceph_tag: latest name_prefix: default_organization-osp15_containers- name_suffix: '' namespace: $namespace neutron_driver: ovn tag: 15.0 tag_from_label: '{version}-{release}' excludes: [ceph] - push_destination: true set: ceph_image: default_organization-ceph_containers-rhceph-4_0-rhel8 ceph_namespace: $namespace ceph_tag: latest includes: [ceph] ContainerImageRegistryCredentials: $namespace: admin: changeme
This one is still work in progress. We had to revert a backport in THT, https://review.opendev.org/#/c/669575/, because of a bug with the task: https://bugs.launchpad.net/tripleo/+bug/1835657.
Deployed UC using: parameter_defaults: NeutronMechanismDrivers: ovn ContainerImagePrepare: - set: name_prefix: openstack- namespace: registry.redhat.io/rhosp15-rhel8 tag: latest ContainerImageRegistryLogin: true ContainerImageRegistryCredentials: registry.redhat.io: user : 'pass'
If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field. The documentation team will review, edit, and approve the text. If this bug does not require doc text, please set the 'requires_doc_text' flag to '-'.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0643
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days