StarlingX

Backup & Restore doesn't work with private registry if it's configured at Ansible bootstrap

Bug #1847521 reported by Angie Wang
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Ovidiu Poncea

Bug Description

Brief Description
-----------------
Backup& restore won't work with private registry if it's configured during Ansible bootstrap.

The related code in backup playbooks doesn't handle it correctly.

e.g.
roles/backup/backup-system/tasks/main.yml
    - block:
      - name: Search for docker registries
        shell: >-
          grep -w registry {{ tempdir.path }}/docker.txt |
          awk '{if ($6=="registry") print $8 ".io: " $10}'
        failed_when: false
        register: docker_registries

      - block:
        - name: Write docker_registries
          lineinfile:
            dest: "{{ override_backup_file }}"
            line: "docker_registries:"

        - name: Write docker_registry to override backup file
          lineinfile:
            dest: "{{ override_backup_file }}"
            line: " {{ item }}"
          with_items: "{{ docker_registries.stdout_lines }}"

        ...

1. The check '$6 == registry' is out of date as the section moved from 'registry' to 'quay-registry', 'k8s-registry', 'docker-registry', 'gcr-registry', 'elastic-registry' in service-parameter
e.g.
[sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-list
| a0d31309-d82b-4544-9051-3e759d19d1c6 |docker|quay-registry|url|tis-lab-registry.cumulus.wrs.com:9001|
| 531f6845-e2ac-40b8-9b92-2fc2f7246ba2 |docker|k8s-registry |url|tis-lab-registry.cumulus.wrs.com:9001|
| 638b4ae9-bd26-4aad-abf5-9d5f861a98ae |docker|docker-registry|url|tis-lab-registry.cumulus.wrs.com:9001|
| e454e062-0839-4c75-95ad-cc8feaecb721 |docker|gcr-registry|url|tis-lab-registry.cumulus.wrs.com:9001|
| a0d32434-d82b-4544-9051-3e759d19d1c6 |docker|elastic-registry|url|tis-lab-registry.cumulus.wrs.com:9001|

2. The format of registry info written into backup file is not right since the format was changed in bootstrap overrides.
e.g.
The new format:
docker_registries:
  docker.io:
    url:
  gcr.io:
    url:
  ...

3. More parameters added in each registry entry under docker_registries as well, need to be handled as well.
e.g.
docker_registries:
  docker.io:
    url:
    type:
    username:
    password:
    additional_overrides:

Ghada Khalil (gkhalil)
tags: added: stx.update
summary: - Backup&restore doesn't work with private registry if it's configured at
- Ansible bootstrap
+ Backup & Restore doesn't work with private registry if it's configured
+ at Ansible bootstrap
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Marking as stx.3.0 / high priority - B&R is an stx.3.0 feature deliverable

Changed in starlingx:
importance: Undecided → High
status: New → Triaged
assignee: nobody → Ovidiu Poncea (ovidiu.poncea)
tags: added: stx.3.0
Revision history for this message
Ovidiu Poncea (ovidiuponcea) wrote :

Hi Angie,

The change is not that complex given the explanation above... problem is undestanding how it works and getting all the cases correctly. For this it would help having:
1. the documentation for the feature and
2. docker registries replacements w/ authentication and w/o unauthentication that I can use for testing the change. I got unauthenticated one from above (tis-lab-registry.cumulus.wrs.com:9001) but I need one authenticated registry to proper capture all the parameters that changed.

Thank you,
Ovidiu

Revision history for this message
Ovidiu Poncea (ovidiuponcea) wrote :

Nevermind #2 I configured 2 registries from scratch (w/ and w/o auth), I haven't tested them yet but should work if I know how to configure them.

Revision history for this message
Frank Miller (sensfan22) wrote :

Note: The fix for this LP has a dependency on this code first being merged:
https://review.opendev.org/#/c/688722/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/690592

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/692351
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=29b1cb2d82898bfe0b4b70ee51e3ce5786b98949
Submitter: Zuul
Branch: master

commit 29b1cb2d82898bfe0b4b70ee51e3ce5786b98949
Author: Dan Voiculeasa <email address hidden>
Date: Wed Oct 30 14:16:22 2019 +0000

    B&R: Restore ssl_ca certificate

    Extract the ca-cert.pem file from archive.
    Use system certificate-install on ca-cert.pem.

    Partial-Bug: 1847521
    Change-Id: Ia38ca66c96eeb0cf58be8ccca655f01b240fc4dd
    Signed-off-by: Dan Voiculeasa <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/690592
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=955ee4804bb845e88aba95be6a7f49939f803953
Submitter: Zuul
Branch: master

commit 955ee4804bb845e88aba95be6a7f49939f803953
Author: Ovidiu Poncea <email address hidden>
Date: Wed Oct 23 17:34:59 2019 +0300

    B&R: Fix private registry configuration

    Code was updated to create a proper backup of the registries by
    reading the data using 'system' commands.

    Change-Id: Ica5a39d91e84e621ec7e13aa37203d509d0f4093
    Closes-Bug: 1847521
    Depends-On: Ia38ca66c96eeb0cf58be8ccca655f01b240fc4dd
    Signed-off-by: Ovidiu Poncea <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.