New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cephadm: support pulling image with http #42521
Conversation
making cephadm support pulling images from registries using http instead of https can be a valid scenario when you are using development, ci, or very isolated environments where you don't really want to care about TLS. Same operation could be achieved by editing either `/etc/containers/registries.conf` or `/etc/docker/daemon.json` but it would be definitely more convenient if cephadm could offer this option natively. Fixes: ceph#51901 Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also add it at the top of https://docs.ceph.com/en/latest/man/8/cephadm/#synopsis with the other general (non-command-specific, e.g. --image, --docker) flags
and give a brief description of what it does here https://docs.ceph.com/en/latest/man/8/cephadm/#options
cmd = [ctx.container_engine.path, 'pull', image] | ||
cmd = [ctx.container_engine.path, 'pull'] | ||
if ctx.skip_tls_pull: | ||
if ctx.docker: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if ctx.docker: | |
if isinstance(self.ctx.container_engine, Docker): |
I think the docker flag being checked here only makes us prefer docker over podman. If you have docker installed and don't have podman installed I think it will use docker regardless of whether the docker flag is set, so this check isn't guaranteed to work. Our usual way of checking this is checking if the current container engine instance is a Docker one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume this is only working for local cephadm CLI command like boostrap or adopt process right ?
Because --skip-tls-pull
is only used during those steps then new nodes added to the orch won't be aware of this (I might be wrong).
@dsavineau is right about this. @guits if you want a deployment that continually skips using tls throughout the cluster life cycle (e.g. when automatically pulling the image on a newly added host you want ceph daemons on that doesn't have the image locally) you would likely have to add a module option, set the module option during bootstrap if --skip-tls-pull was passed, then modify calls to |
parser.add_argument( | ||
'--skip-tls-pull', | ||
action='store_true', | ||
help='do not use tls when pulling image') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is unfortunately a bit deceiving to users, as this only works for tiny toy environments. If you want to advertise it in the cephadm CLI, you'll need to make this actually work reliably. I.e. this needs to end up in very similar places as the container-init
flag.
- It needs to be another MGR module option
- and passed though all
run_cephadm
calls - and written to all unit.run files
As users might remove all images and rely on the systemd unit files to re-pull the images on the hosts
closing this in favor of #42671 |
making cephadm support pulling image from registry using http instead of
https can be a valid scenario when you are using development, ci, or very isolated
environments where you don't really want to care about TLS.
Same operation could be achieved by editing either
/etc/containers/registries.conf
or/etc/docker/daemon.json
but itwould be definitely more convenient if cephadm could offer this option natively.
Fixes: #51901
Signed-off-by: Guillaume Abrioux gabrioux@redhat.com