Fix: authenticated registry support for containerized hosts #5359
Conversation
openshift-ci-robot
added
the
size/S
michaelgugino
requested review from
sdodson,
abutcher,
kwoodson and
mtnbikenc
|
aos-ci-test |
|
[test] |
|
I have not tested this locally yet, and I don't think it will be tested by current CI. I am going to try to test this today. |
| @@ -2,6 +2,21 @@ | |||
| - set_fact: | |||
| l_use_crio: "{{ openshift_use_crio | default(false) }}" | |||
There was a problem hiding this comment.
Shouldn't this move to the defaults/main.yml.
Probably should happen in another PR.
|
This is not quite working according to my testing, please don't merge yet. |
Currently, openshift-anisble supports authentication to container registries to pull down openshift container images. The openshift_verison role uses the docker cli to gather image information from container registries before authentication credentials are provided by openshift-ansible. This commit creates the necessary token to authenticate to private registries during openshift_version. The token is generated by the role 'docker' on all hosts where docker is installed/configured when oreg_auth_users is defined. This commit also adds a read-only mount into the openshift master and node container services. This mount is '/var/lib/origin/.docker:/root/.docker:ro'. This is because the container images do not currently read the values in '/var/lib/origin/.docker' as this may be a bug upstream. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341
michaelgugino
dismissed stale reviews from kwoodson and sdodson
via
db30a2e
michaelgugino
force-pushed
the
version-docker-auth-config
branch
from
3e9533d
to
db30a2e
Compare
openshift-ci-robot
added
size/L
|
Evaluated for openshift ansible test up to db30a2e |
|
This patch is now tested as working with RHEL Atomic Host 7.x with the following variables: oreg_auth_user: <my user>
oreg_auth_password: <my password>
oreg_url: private.<my domain>.com:443/openshift3/ose-${component}:latest
openshift_docker_additional_registries: 'private.<my domain>.com:443'
openshift_examples_modify_imagestreams: True
openshift_deployment_type: openshift-enterprise
openshift_release: v3.7
openshift_image_tag: v3.7.0-0.125.0.0
deployment_type: openshift-enterpriseTested using v3.7 to force usage of staging server to ensure we're only pulling from there and not normal registry. |
| when: oreg_auth_user is defined | ||
| register: docker_cli_auth_credentials_stat | ||
|
|
||
| - name: Create credentials for docker cli registry auth |
There was a problem hiding this comment.
We need to create these credentials in /root/.docker/config.json to enable openshift_version to pull down the base container image. Additionally, having this populated on each container host is necessary for those hosts to pull down containers to themselves.
| register: master_oreg_auth_credentials_stat | ||
|
|
||
| # Container images may need the registry credentials | ||
| - name: Setup ro mount of /root/.docker for containerized hosts |
There was a problem hiding this comment.
We need to bind this directory into the container so the container can pull images. This may not be necessary on the master container services, I am not sure. Previous details indicated we need these credentials on both masters and nodes.
What we're doing here: Binding /var/lib/origin/.docker to /root/.docker.
| @@ -11,7 +11,17 @@ PartOf={{ openshift.docker.service_name }}.service | |||
| EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers | |||
| Environment=GOTRACEBACK=crash | |||
| ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type}}-master-controllers | |||
| ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master-controllers --env-file=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers -v {{ r_openshift_master_data_dir }}:{{ r_openshift_master_data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {% if openshift_cloudprovider_kind | default('') != '' -%} -v {{ openshift.common.config_base }}/cloudprovider:{{ openshift.common.config_base}}/cloudprovider {% endif -%} -v /etc/pki:/etc/pki:ro {{ openshift.master.master_image }}:${IMAGE_VERSION} start master controllers --config=${CONFIG_FILE} $OPTIONS | |||
| ExecStart=/usr/bin/docker run --rm --privileged --net=host \ | |||
There was a problem hiding this comment.
systemd service files support line returns just like bash. This is much nicer and in the future will make for easier code reviews.
| -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} \ | ||
| {% if openshift_cloudprovider_kind | default('') != '' -%} -v {{ openshift.common.config_base }}/cloudprovider:{{ openshift.common.config_base}}/cloudprovider {% endif -%} \ | ||
| -v /etc/pki:/etc/pki:ro \ | ||
| {% if l_bind_docker_reg_auth %} -v {{ oreg_auth_credentials_path }}:/root/.docker:ro{% endif %}\ |
There was a problem hiding this comment.
Here is where we potentially bind our credentials to /root/.docker
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_openshift_ansible/645/) (Base Commit: 33d254a) (PR Branch Commit: db30a2e) |
|
aos-ci-test |
| docker_cli_auth_config_path: '/root/.docker' | ||
|
|
||
| oreg_url: '' | ||
| oreg_host: "{{ oreg_url.split('/')[0] if '.' in oreg_url.split('/')[0] else '' }}" |
There was a problem hiding this comment.
In the future we should update this to use urlsplit
|
[merge] |
|
We need backports for the other releases that you backported the original PR to, right? |
|
@sdodson |
|
Evaluated for openshift ansible merge up to db30a2e |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_openshift_ansible/1027/) (Base Commit: 665c5c2) (PR Branch Commit: db30a2e) |
We should backport this PR to all the branches that got your original work since QE is considering this change as necessary to close out bug 1316341 which would be all the way back to release-1.4 |
|
@sdodson as soon as this merges, I'll cherry pick to back port. |
Currently, openshift-anisble supports authentication to
container registries to pull down openshift container images.
The openshift_verison role uses the docker cli to gather
image information from container registries before authentication
credentials are provided by openshift-ansible.
This commit creates the necessary token to authenticate to
private registries during openshift_version.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341