[tripleo][undercloud] use local container images in insecure repo
Hi all,
I have been trying to use containers from local container image repo which is insecure, but it is always trying to use TLS version, and I do not have https there. even if I would have, I would not have CERT signed, so still it is insecure. It is always trying to access over WWW:443.
my registries.conf [1] and I am able to fetch image from the registry [1] and my container image prepare file contains updated repos, I have even added insecure: true
any tips? I am following [2] and [3]
[1] http://paste.openstack.org/show/cYQM2k77bIh14Zzr5Kjn/ [2] https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/deployme... [3] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16....
On Tue, Oct 6, 2020 at 1:15 AM Ruslanas Gžibovskis ruslanas@lpic.lt wrote:
Hi all,
I have been trying to use containers from local container image repo which is insecure, but it is always trying to use TLS version, and I do not have https there. even if I would have, I would not have CERT signed, so still it is insecure. It is always trying to access over WWW:443.
my registries.conf [1] and I am able to fetch image from the registry [1] and my container image prepare file contains updated repos, I have even added insecure: true
any tips? I am following [2] and [3]
Use DockerInsecureRegistryAddress to configure the list of insecure registries. You can include this in the container image prepare file. If you are using push_destination: true, be sure to add the undercloud in there by default. We have logic to magically add this if DockerInsecureRegistryAddress is not configured and push_destination: true is set. It'll configure the local ip and an undercloud ctlplane host name as well.
Unfortunately docker/podman always attempt https first and fallback to http if not available (this can get weird). If the host is not in the insecure list, it won't fall back to http.
[1] http://paste.openstack.org/show/cYQM2k77bIh14Zzr5Kjn/ [2] https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/deployme... [3] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16....
-- Ruslanas Gžibovskis +370 6030 7030
Hi, in which place I should add DockerInsecureRegistryAddress ? In which Level? I have added in 2 levels parameter_defaults: ContainerImagePrepare: - DockerInsecureRegistryAddress: harbor.vgtu.lt set: ceph_alertmanager_image: alertmanager ceph_alertmanager_namespace: harbor.vgtu.lt/prom ceph_alertmanager_tag: v0.16.2 ceph_grafana_image: grafana ceph_grafana_namespace: harbor.vgtu.lt/grafana ceph_grafana_tag: 5.4.3 ceph_image: daemon ceph_namespace: harbor.vgtu.lt/ceph ceph_node_exporter_image: node-exporter ceph_node_exporter_namespace: harbor.vgtu.lt/prom ceph_node_exporter_tag: v0.17.0 ceph_prometheus_image: prometheus ceph_prometheus_namespace: harbor.vgtu.lt/prom ceph_prometheus_tag: v2.7.2 ceph_tag: v4.0.12-stable-4.0-nautilus-centos-7-x86_64 default_tag: true name_prefix: centos-binary- name_suffix: '' namespace: harbor.vgtu.lt/testukas insecure: true DockerInsecureRegistryAddress: harbor.vgtu.lt neutron_driver: ovn rhel_containers: false tag: current-tripleo tag_from_label: rdo_version
And I have launched tcpdump with filter: host harbor.vgtu.lt and port 80 and I do not receive any. Also it is in undercloud.conf insecure list (first and last one, twice :) and it is in registries.conf in /etc/containers
On Tue, 6 Oct 2020 at 16:09, Alex Schultz aschultz@redhat.com wrote:
On Tue, Oct 6, 2020 at 1:15 AM Ruslanas Gžibovskis ruslanas@lpic.lt wrote:
Hi all,
I have been trying to use containers from local container image repo
which is insecure, but it is always trying to use TLS version, and I do not have https there. even if I would have, I would not have CERT signed, so still it is insecure. It is always trying to access over WWW:443.
my registries.conf [1] and I am able to fetch image from the registry
[1] and my container image prepare file contains updated repos, I have even added insecure: true
any tips? I am following [2] and [3]
Use DockerInsecureRegistryAddress to configure the list of insecure registries. You can include this in the container image prepare file. If you are using push_destination: true, be sure to add the undercloud in there by default. We have logic to magically add this if DockerInsecureRegistryAddress is not configured and push_destination: true is set. It'll configure the local ip and an undercloud ctlplane host name as well.
Unfortunately docker/podman always attempt https first and fallback to http if not available (this can get weird). If the host is not in the insecure list, it won't fall back to http.
[1] http://paste.openstack.org/show/cYQM2k77bIh14Zzr5Kjn/ [2]
https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/deployme...
[3]
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16....
-- Ruslanas Gžibovskis +370 6030 7030
It's a top level var and expects a list. So under parameter_defaults.
paramter_defaults: DockerInsecureRegistryAddress: - harbor.vgtu.lt ContainerImagePrepare: - set: ....
On Tue, Oct 6, 2020 at 8:20 AM Ruslanas Gžibovskis ruslanas@lpic.lt wrote:
Hi, in which place I should add DockerInsecureRegistryAddress ? In which Level? I have added in 2 levels parameter_defaults: ContainerImagePrepare:
- DockerInsecureRegistryAddress: harbor.vgtu.lt set: ceph_alertmanager_image: alertmanager ceph_alertmanager_namespace: harbor.vgtu.lt/prom ceph_alertmanager_tag: v0.16.2 ceph_grafana_image: grafana ceph_grafana_namespace: harbor.vgtu.lt/grafana ceph_grafana_tag: 5.4.3 ceph_image: daemon ceph_namespace: harbor.vgtu.lt/ceph ceph_node_exporter_image: node-exporter ceph_node_exporter_namespace: harbor.vgtu.lt/prom ceph_node_exporter_tag: v0.17.0 ceph_prometheus_image: prometheus ceph_prometheus_namespace: harbor.vgtu.lt/prom ceph_prometheus_tag: v2.7.2 ceph_tag: v4.0.12-stable-4.0-nautilus-centos-7-x86_64 default_tag: true name_prefix: centos-binary- name_suffix: '' namespace: harbor.vgtu.lt/testukas insecure: true DockerInsecureRegistryAddress: harbor.vgtu.lt neutron_driver: ovn rhel_containers: false tag: current-tripleo tag_from_label: rdo_version
And I have launched tcpdump with filter: host harbor.vgtu.lt and port 80 and I do not receive any. Also it is in undercloud.conf insecure list (first and last one, twice :) and it is in registries.conf in /etc/containers
On Tue, 6 Oct 2020 at 16:09, Alex Schultz aschultz@redhat.com wrote:
On Tue, Oct 6, 2020 at 1:15 AM Ruslanas Gžibovskis ruslanas@lpic.lt wrote:
Hi all,
I have been trying to use containers from local container image repo which is insecure, but it is always trying to use TLS version, and I do not have https there. even if I would have, I would not have CERT signed, so still it is insecure. It is always trying to access over WWW:443.
my registries.conf [1] and I am able to fetch image from the registry [1] and my container image prepare file contains updated repos, I have even added insecure: true
any tips? I am following [2] and [3]
Use DockerInsecureRegistryAddress to configure the list of insecure registries. You can include this in the container image prepare file. If you are using push_destination: true, be sure to add the undercloud in there by default. We have logic to magically add this if DockerInsecureRegistryAddress is not configured and push_destination: true is set. It'll configure the local ip and an undercloud ctlplane host name as well.
Unfortunately docker/podman always attempt https first and fallback to http if not available (this can get weird). If the host is not in the insecure list, it won't fall back to http.
[1] http://paste.openstack.org/show/cYQM2k77bIh14Zzr5Kjn/ [2] https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/deployme... [3] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16....
-- Ruslanas Gžibovskis +370 6030 7030
-- Ruslanas Gžibovskis +370 6030 7030
Or maybe I can specify, some exact version of ironic containers, that were working: docker.io/tripleou/centos-binary-ironic-inspector@sha256:ad5d58c4cce48ed0c660a0be7fed69f53202a781e75b1037dcee96147e9b8c4b for installation to grab?
And trying your suggestion. Also generating self signed Cert and will be adding it to undercloud host to trust list, or it should be also added to undercloud.conf with env files also?
On Tue, 6 Oct 2020 at 17:22, Alex Schultz aschultz@redhat.com wrote:
It's a top level var and expects a list. So under parameter_defaults.
paramter_defaults: DockerInsecureRegistryAddress:
- harbor.vgtu.lt
ContainerImagePrepare:
- set: ....
On Tue, Oct 6, 2020 at 8:20 AM Ruslanas Gžibovskis ruslanas@lpic.lt wrote:
Hi, in which place I should add DockerInsecureRegistryAddress ? In which Level? I have added in 2 levels parameter_defaults: ContainerImagePrepare:
- DockerInsecureRegistryAddress: harbor.vgtu.lt set: ceph_alertmanager_image: alertmanager ceph_alertmanager_namespace: harbor.vgtu.lt/prom ceph_alertmanager_tag: v0.16.2 ceph_grafana_image: grafana ceph_grafana_namespace: harbor.vgtu.lt/grafana ceph_grafana_tag: 5.4.3 ceph_image: daemon ceph_namespace: harbor.vgtu.lt/ceph ceph_node_exporter_image: node-exporter ceph_node_exporter_namespace: harbor.vgtu.lt/prom ceph_node_exporter_tag: v0.17.0 ceph_prometheus_image: prometheus ceph_prometheus_namespace: harbor.vgtu.lt/prom ceph_prometheus_tag: v2.7.2 ceph_tag: v4.0.12-stable-4.0-nautilus-centos-7-x86_64 default_tag: true name_prefix: centos-binary- name_suffix: '' namespace: harbor.vgtu.lt/testukas insecure: true DockerInsecureRegistryAddress: harbor.vgtu.lt neutron_driver: ovn rhel_containers: false tag: current-tripleo tag_from_label: rdo_version
And I have launched tcpdump with filter: host harbor.vgtu.lt and port
80 and I do not receive any.
Also it is in undercloud.conf insecure list (first and last one, twice
:) and it is in registries.conf in /etc/containers
On Tue, 6 Oct 2020 at 16:09, Alex Schultz aschultz@redhat.com wrote:
On Tue, Oct 6, 2020 at 1:15 AM Ruslanas Gžibovskis ruslanas@lpic.lt
wrote:
Hi all,
I have been trying to use containers from local container image repo
which is insecure, but it is always trying to use TLS version, and I do not have https there. even if I would have, I would not have CERT signed, so still it is insecure. It is always trying to access over WWW:443.
my registries.conf [1] and I am able to fetch image from the registry
[1] and my container image prepare file contains updated repos, I have even added insecure: true
any tips? I am following [2] and [3]
Use DockerInsecureRegistryAddress to configure the list of insecure registries. You can include this in the container image prepare file. If you are using push_destination: true, be sure to add the undercloud in there by default. We have logic to magically add this if DockerInsecureRegistryAddress is not configured and push_destination: true is set. It'll configure the local ip and an undercloud ctlplane host name as well.
Unfortunately docker/podman always attempt https first and fallback to http if not available (this can get weird). If the host is not in the insecure list, it won't fall back to http.
[1] http://paste.openstack.org/show/cYQM2k77bIh14Zzr5Kjn/ [2]
https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/deployme...
[3]
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16....
-- Ruslanas Gžibovskis +370 6030 7030
-- Ruslanas Gžibovskis +370 6030 7030
participants (2)
-
Alex Schultz
-
Ruslanas Gžibovskis