1751809 – authenticated registries to pull ceph images may fail if overcloud pulls image directly from registry and doesn't use intermediate registry like undercloud

Bug 1751809 - authenticated registries to pull ceph images may fail if overcloud pulls image directly from registry and doesn't use intermediate registry like undercloud

Summary: authenticated registries to pull ceph images may fail if overcloud pulls imag...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	15.0 (Stein)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z2
Target Release:	15.0 (Stein)
Assignee:	Francesco Pantano
QA Contact:	Yogev Rabl
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-12 15:45 UTC by John Fulton
Modified:	2020-03-05 12:00 UTC (History)
CC List:	12 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-10.6.2-0.20191202200455.41d9f8a.el8ost
Doc Type:	Enhancement
Doc Text:	With this update, the credentials that you supply in the `ContainerImageRegistryCredentials` parameter pass to ceph-ansible automatically if the registry name matches the registry name in the `ceph_namespace` parameter.
Clone Of:
Environment:
Last Closed:	2020-03-05 12:00:13 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	682015	'None'	MERGED	Allow using registry authentication to pull ceph related containers	2020-04-14 16:59:48 UTC
OpenStack gerrit	687940	'None'	MERGED	Allow using registry authentication to pull ceph related containers	2020-04-14 16:59:48 UTC
Red Hat Product Errata	RHBA-2020:0643	None	None	None	2020-03-05 12:00:34 UTC

Description John Fulton 2019-09-12 15:45:44 UTC

As described in docbug 1723969, customers can use ContainerImageRegistryCredentials to have their undercloud authenticate to access containers used in the overcloud. This results the ceph container being download to the undercloud and then during overcloud deployment the overcloud may pull that container without authentication. However, if the customer chooses not to pull the containers to the undercloud first and instead have the overcloud directly pull the container during deployment the openstack containers will download without a problem but during the ceph container download they might hit bug 1748859 or 1748911. This should be addressed by the following ceph-ansible PR:

 https://github.com/ceph/ceph-ansible/pull/4444/files

This is bug tracks updating TripleO so that if ContainerImageRegistryCredentials is set, then it passes the appropriate overrides to the parameters introduced in the above PR. It should result in ceph-ansible being able to use those paramters to authenticate and then directly pull the ceph container.

Comment 5 John Fulton 2019-10-31 12:40:38 UTC

What version of ceph-ansible should be used with what version of of tht to not hit this problem anymore?

Comment 10 errata-xmlrpc 2020-03-05 12:00:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0643

Note You need to log in before you can comment on or make changes to this bug.