Bug 2102230 - Need to add rhcos.mirror.openshift.com to firewall docs
Summary: Need to add rhcos.mirror.openshift.com to firewall docs
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.12.0
Assignee: Jesse Dohmann
QA Contact: Xiaoli Tian
Latha S
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-29 13:52 UTC by Scott Dodson
Modified: 2022-09-08 22:57 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2102228
Environment:
Last Closed: 2022-09-08 22:57:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Scott Dodson 2022-06-29 13:52:05 UTC 
The page here needs to have rhcos.mirror.openshift.com added, duplicate the entry at the top for "Provides Red Hat Enterprise Linux CoreOS (RHCOS) images" with this hostname. Do not remove the current hostname for now, it can likely be removed for 4.12.

+++ This bug was initially created as a clone of Bug #2102228 +++

Copied from ane mail Yuxiang sent to aos-devel

The RHCOS redirector [1] is hosted on the ART OSD cluster. It redirects file download requests to a regional S3 bucket. Disruptions to this service can block OpenShift installations because references to the redirector hostname are baked into the OpenShift installer [2]. This service and its location creates unnecessary risk for ART and gives prodsec yet another service to have to worry about. To eliminate this kind of risk, ART has set up a CloudFront CDN distribution [3] to provide RHCOS image downloads at https://rhcos.mirror.openshift.com. With this new CloudFront distribution, we can get very reliable, fast, and cheap world-wide distribution for the files.

To move to the CloudFront distribution, we need to get all references to the redirector hostname (rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com) replaced with the CDN distribution hostname (rhcos.mirror.openshift.com). e.g. https://rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com/art/storage/releases/rhcos-4.11-aarch64/411.85.202205040359-0/aarch64/rhcos-411.85.202205040359-0-aws.aarch64.vmdk.gz ==> https://rhcos.mirror.openshift.com/art/storage/releases/rhcos-4.11-aarch64/411.85.202205040359-0/aarch64/rhcos-411.85.202205040359-0-aws.aarch64.vmdk.gz.

We should backport this change to 4.8.
Comment 1 Timothée Ravier 2022-07-20 15:46:05 UTC 
We've made the hostname change for 4.11 in https://github.com/openshift/installer/pull/6130 so we are going to need the docs update for 4.11 here: https://bugzilla.redhat.com/show_bug.cgi?id=2102228

It should be mostly https://docs.openshift.com/container-platform/4.10/installing/install_config/configuring-firewall.html

Other releases have not been updated yet.
Comment 2 Jesse Dohmann 2022-07-27 14:34:33 UTC 
4.11 PR has been merged: https://github.com/openshift/openshift-docs/pull/48037

4.10 PR is in progress: https://github.com/openshift/openshift-docs/pull/48134

the other backports will come when installer PRs land

@sdodson can you confirm that the first table of registry URLs is the only one that needs updating? Or are there other tables on this page that need to be updated with this new redirector URL?
Comment 3 Scott Dodson 2022-07-27 15:17:14 UTC 
@jdohmann that's fine
Comment 4 Scott Dodson 2022-07-27 15:18:12 UTC 
@jdohmann Actually, given that some 4.10.z will use the old hostname and some will use the new hostname we should list both of them in all versions older than 4.11.
Comment 5 Jesse Dohmann 2022-09-08 22:57:19 UTC 
These are all live now except for 4.6, so I am going to close this ticket. If there is more to be done please open a JIRA ticket in the OCPBUGS project. Thanks all!
Note You need to log in before you can comment on or make changes to this bug.