cephadm: support pulling image with http #42521
Conversation
making cephadm support pulling images from registries using http instead of https can be a valid scenario when you are using development, ci, or very isolated environments where you don't really want to care about TLS. Same operation could be achieved by editing either `/etc/containers/registries.conf` or `/etc/docker/daemon.json` but it would be definitely more convenient if cephadm could offer this option natively. Fixes: ceph#51901 Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
There was a problem hiding this comment.
Can you also add it at the top of https://docs.ceph.com/en/latest/man/8/cephadm/#synopsis with the other general (non-command-specific, e.g. --image, --docker) flags
and give a brief description of what it does here https://docs.ceph.com/en/latest/man/8/cephadm/#options
| cmd = [ctx.container_engine.path, 'pull', image] | ||
| cmd = [ctx.container_engine.path, 'pull'] | ||
| if ctx.skip_tls_pull: | ||
| if ctx.docker: |
There was a problem hiding this comment.
| if ctx.docker: | |
| if isinstance(self.ctx.container_engine, Docker): |
I think the docker flag being checked here only makes us prefer docker over podman. If you have docker installed and don't have podman installed I think it will use docker regardless of whether the docker flag is set, so this check isn't guaranteed to work. Our usual way of checking this is checking if the current container engine instance is a Docker one.
@dsavineau is right about this. @guits if you want a deployment that continually skips using tls throughout the cluster life cycle (e.g. when automatically pulling the image on a newly added host you want ceph daemons on that doesn't have the image locally) you would likely have to add a module option, set the module option during bootstrap if --skip-tls-pull was passed, then modify calls to |
| parser.add_argument( | ||
| '--skip-tls-pull', | ||
| action='store_true', | ||
| help='do not use tls when pulling image') |
There was a problem hiding this comment.
this is unfortunately a bit deceiving to users, as this only works for tiny toy environments. If you want to advertise it in the cephadm CLI, you'll need to make this actually work reliably. I.e. this needs to end up in very similar places as the container-init flag.
- It needs to be another MGR module option
- and passed though all
run_cephadmcalls - and written to all unit.run files
As users might remove all images and rely on the systemd unit files to re-pull the images on the hosts
|
closing this in favor of #42671 |
making cephadm support pulling image from registry using http instead of
https can be a valid scenario when you are using development, ci, or very isolated
environments where you don't really want to care about TLS.
Same operation could be achieved by editing either
/etc/containers/registries.confor/etc/docker/daemon.jsonbut itwould be definitely more convenient if cephadm could offer this option natively.
Fixes: #51901
Signed-off-by: Guillaume Abrioux gabrioux@redhat.com