--insecure-registry in /etc/sysconfig/docker removed by undercloud upgrade

Bug #1736803 reported by Ian Pilcher on 2017-12-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Dan Prince

Bug Description

When pulling container images from an internal registry (such as docker-registry.engineering.redhat.com), one is often required to edit /etc/sysconfig/docker and add the internal registry to the INSECURE_REGISTRY line.

This additional entry is removed when "openstack undercloud upgrade" runs.

To reproduce:

1. Edit /etc/sysconfig/docker and add an additional insecure registry.
2. Run 'openstack undercloud upgrade'
3. Check /etc/sysconfig/docker; note that additional insecure registry is no longer there.

This will cause future image pulls, tag checks, etc. to fail until the registry is re-added to INSECURE_REGISTRY in /etc/sysconfig/docker.

Ian Pilcher (arequipeno) on 2017-12-06
tags: added: containers
tags: added: tripleoclient
Changed in tripleo:
status: New → Triaged
importance: Undecided → Critical
milestone: none → queens-3
tags: added: upgrade
Dan Prince (dan-prince) wrote :

As part of the new containers based undercloud I've just proposed added an option called 'docker_insecure_registries'. This would be appended to the list of default Undercloud insecure settings for the local registry and would allow you to pull containers from any set of registries you'd like and would survive an upgrade.


Again, this is not yet backported to instack-undercloud although we could look at doing something there as well.

Changed in tripleo:
assignee: nobody → Dan Prince (dan-prince)
status: Triaged → In Progress
Changed in tripleo:
milestone: queens-3 → queens-rc1
Changed in tripleo:
milestone: queens-rc1 → rocky-1
Changed in tripleo:
milestone: rocky-1 → rocky-2
Alex Schultz (alex-schultz) wrote :

This was fixed as part of Bug 1767373

Changed in tripleo:
status: In Progress → Fix Released
Alex Schultz (alex-schultz) wrote :

Was only partially done with Bug 1767373. In Pike the docker registry code also lived in the docker_registry profile, where as in Queens we deprecated docker_registry so the docker code managed it

Changed in tripleo:
status: Fix Released → Triaged

Reviewed: https://review.openstack.org/587190
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=80c5a07aa5a0a9042789a067aa175a1ddfe0a193
Submitter: Zuul
Branch: stable/pike

commit 80c5a07aa5a0a9042789a067aa175a1ddfe0a193
Author: Dan Prince <email address hidden>
Date: Tue Dec 5 16:15:32 2017 -0500

    Remove INSECURE_REGISTRY from docker_registry.pp

    This patch removes the INSECURE_REGISTRY options from the
    docker_registry manifest. These configuration options can
    conflict with the configuration done in the docker
    profile. Furthermore they are not directly related to
    the docker registry service itself and are better managed
    as part of the other profile.

    Change-Id: I6d0cfc9aafd2184161666bb9edcce16a0ec5a06f
    Closes-bug: #1736587
    Closes-bug: #1736803
    (cherry picked from commit b2521749561bc7b1d6da9e5b776c2945c65977a0)

tags: added: in-stable-pike

This issue was fixed in the openstack/puppet-tripleo 7.4.15 release.

Changed in tripleo:
status: Triaged → Fix Released
milestone: rocky-2 → stein-1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers