New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: authenticated registry support for containerized hosts #5359
Fix: authenticated registry support for containerized hosts #5359
Conversation
aos-ci-test |
[test] |
I have not tested this locally yet, and I don't think it will be tested by current CI. I am going to try to test this today. |
@@ -2,6 +2,21 @@ | |||
- set_fact: | |||
l_use_crio: "{{ openshift_use_crio | default(false) }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this move to the defaults/main.yml
.
Probably should happen in another PR.
This is not quite working according to my testing, please don't merge yet. |
Currently, openshift-anisble supports authentication to container registries to pull down openshift container images. The openshift_verison role uses the docker cli to gather image information from container registries before authentication credentials are provided by openshift-ansible. This commit creates the necessary token to authenticate to private registries during openshift_version. The token is generated by the role 'docker' on all hosts where docker is installed/configured when oreg_auth_users is defined. This commit also adds a read-only mount into the openshift master and node container services. This mount is '/var/lib/origin/.docker:/root/.docker:ro'. This is because the container images do not currently read the values in '/var/lib/origin/.docker' as this may be a bug upstream. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341
db30a2e
3e9533d
to
db30a2e
Compare
Evaluated for openshift ansible test up to db30a2e |
This patch is now tested as working with RHEL Atomic Host 7.x with the following variables: oreg_auth_user: <my user>
oreg_auth_password: <my password>
oreg_url: private.<my domain>.com:443/openshift3/ose-${component}:latest
openshift_docker_additional_registries: 'private.<my domain>.com:443'
openshift_examples_modify_imagestreams: True
openshift_deployment_type: openshift-enterprise
openshift_release: v3.7
openshift_image_tag: v3.7.0-0.125.0.0
deployment_type: openshift-enterprise Tested using v3.7 to force usage of staging server to ensure we're only pulling from there and not normal registry. |
when: oreg_auth_user is defined | ||
register: docker_cli_auth_credentials_stat | ||
|
||
- name: Create credentials for docker cli registry auth |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to create these credentials in /root/.docker/config.json to enable openshift_version to pull down the base container image. Additionally, having this populated on each container host is necessary for those hosts to pull down containers to themselves.
register: master_oreg_auth_credentials_stat | ||
|
||
# Container images may need the registry credentials | ||
- name: Setup ro mount of /root/.docker for containerized hosts |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to bind this directory into the container so the container can pull images. This may not be necessary on the master container services, I am not sure. Previous details indicated we need these credentials on both masters and nodes.
What we're doing here: Binding /var/lib/origin/.docker to /root/.docker.
@@ -11,7 +11,17 @@ PartOf={{ openshift.docker.service_name }}.service | |||
EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers | |||
Environment=GOTRACEBACK=crash | |||
ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type}}-master-controllers | |||
ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master-controllers --env-file=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers -v {{ r_openshift_master_data_dir }}:{{ r_openshift_master_data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {% if openshift_cloudprovider_kind | default('') != '' -%} -v {{ openshift.common.config_base }}/cloudprovider:{{ openshift.common.config_base}}/cloudprovider {% endif -%} -v /etc/pki:/etc/pki:ro {{ openshift.master.master_image }}:${IMAGE_VERSION} start master controllers --config=${CONFIG_FILE} $OPTIONS | |||
ExecStart=/usr/bin/docker run --rm --privileged --net=host \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
systemd service files support line returns just like bash. This is much nicer and in the future will make for easier code reviews.
-v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} \ | ||
{% if openshift_cloudprovider_kind | default('') != '' -%} -v {{ openshift.common.config_base }}/cloudprovider:{{ openshift.common.config_base}}/cloudprovider {% endif -%} \ | ||
-v /etc/pki:/etc/pki:ro \ | ||
{% if l_bind_docker_reg_auth %} -v {{ oreg_auth_credentials_path }}:/root/.docker:ro{% endif %}\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is where we potentially bind our credentials to /root/.docker
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_openshift_ansible/645/) (Base Commit: 33d254a) (PR Branch Commit: db30a2e) |
aos-ci-test |
docker_cli_auth_config_path: '/root/.docker' | ||
|
||
oreg_url: '' | ||
oreg_host: "{{ oreg_url.split('/')[0] if '.' in oreg_url.split('/')[0] else '' }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the future we should update this to use urlsplit
[merge] |
We need backports for the other releases that you backported the original PR to, right? |
@sdodson |
Evaluated for openshift ansible merge up to db30a2e |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_openshift_ansible/1027/) (Base Commit: 665c5c2) (PR Branch Commit: db30a2e) |
We should backport this PR to all the branches that got your original work since QE is considering this change as necessary to close out bug 1316341 which would be all the way back to release-1.4 |
@sdodson as soon as this merges, I'll cherry pick to back port. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Currently, openshift-anisble supports authentication to
container registries to pull down openshift container images.
The openshift_verison role uses the docker cli to gather
image information from container registries before authentication
credentials are provided by openshift-ansible.
This commit creates the necessary token to authenticate to
private registries during openshift_version.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341