From 2ee1ebfd34d72a91311ed7683c272b070fde61ea Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Fri, 27 Apr 2018 13:58:47 -0700 Subject: [PATCH] Introduce docker_insecure_registries parameter Introduce docker_insecure_registries that is an array of host/port combiniations of docker insecure registries. The default value will be the previous parameter that were hardcoded, but now we can easily override it in undercloud.conf. Note: the feature is already supported for the containerized undercloud but was only missing in instack-undercloud. This patch will be backported. Depends-On: I14fda3481ac88429648bed8edb2f4469b33be957 Change-Id: I402ebb80b1d755cdb0c3c28fd542121bc60cb144 Closes-Bug: #1767373 --- .../puppet-stack-config.yaml.template | 2 +- instack_undercloud/tests/test_undercloud.py | 7 +++++++ instack_undercloud/undercloud.py | 20 ++++++++++++++++--- .../insecure_registries-58ffd10f75112b31.yaml | 7 +++++++ undercloud.conf.sample | 9 +++++++-- 5 files changed, 39 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/insecure_registries-58ffd10f75112b31.yaml diff --git a/elements/puppet-stack-config/puppet-stack-config.yaml.template b/elements/puppet-stack-config/puppet-stack-config.yaml.template index a9a37447c..591c2ba01 100644 --- a/elements/puppet-stack-config/puppet-stack-config.yaml.template +++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template @@ -795,7 +795,7 @@ tripleo::profile::base::docker::docker_options: '--log-driver=journald --signatu tripleo::profile::base::docker::registry_mirror: {{DOCKER_REGISTRY_MIRROR}} {{/DOCKER_REGISTRY_MIRROR}} tripleo::profile::base::docker::debug: "%{hiera('debug')}" -tripleo::profile::base::docker::insecure_registries: ['{{LOCAL_IP}}:8787','{{UNDERCLOUD_ADMIN_HOST}}:8787'] +tripleo::profile::base::docker::insecure_registries: {{DOCKER_INSECURE_REGISTRIES}} # Keepalived tripleo::keepalived::controller_virtual_ip: "%{hiera('controller_admin_host')}" diff --git a/instack_undercloud/tests/test_undercloud.py b/instack_undercloud/tests/test_undercloud.py index f163c41f6..d4ae4d322 100644 --- a/instack_undercloud/tests/test_undercloud.py +++ b/instack_undercloud/tests/test_undercloud.py @@ -592,6 +592,13 @@ class TestGenerateEnvironment(BaseTestCase): self.assertEqual('http://foo/bar', env['DOCKER_REGISTRY_MIRROR']) + def test_docker_insecure_registries(self): + self.conf.config(docker_insecure_registries=['http://foo/bar:8787']) + env = undercloud._generate_environment('.') + insecure_registries = json.loads(env['DOCKER_INSECURE_REGISTRIES']) + # Spot check one service + self.assertEqual(['http://foo/bar:8787'], insecure_registries) + def test_generate_endpoints(self): env = undercloud._generate_environment('.') endpoint_vars = {k: v for (k, v) in env.items() diff --git a/instack_undercloud/undercloud.py b/instack_undercloud/undercloud.py index aad700661..bd72ebcb7 100644 --- a/instack_undercloud/undercloud.py +++ b/instack_undercloud/undercloud.py @@ -353,6 +353,11 @@ _opts = [ help=('Whether to enable docker container images to be build ' 'on the undercloud.') ), + cfg.ListOpt('docker_insecure_registries', + default=[], + help=('Array of host/port combiniations of docker insecure ' + 'registries.') + ), cfg.StrOpt('ipa_otp', default='', help=('One Time Password to register Undercloud node with ' @@ -1437,12 +1442,21 @@ def _generate_environment(instack_root): instack_env['SYSCTL_SETTINGS'] = _generate_sysctl_settings() - if CONF.docker_registry_mirror: - instack_env['DOCKER_REGISTRY_MIRROR'] = CONF.docker_registry_mirror - instack_env['PUBLIC_INTERFACE_IP'] = instack_env['LOCAL_IP'] instack_env['LOCAL_IP'] = instack_env['LOCAL_IP'].split('/')[0] instack_env['LOCAL_IP_WRAPPED'] = _wrap_ipv6(instack_env['LOCAL_IP']) + + if CONF.docker_registry_mirror: + instack_env['DOCKER_REGISTRY_MIRROR'] = CONF.docker_registry_mirror + if CONF.docker_insecure_registries: + instack_env['DOCKER_INSECURE_REGISTRIES'] = json.dumps( + CONF.docker_insecure_registries) + else: + # For backward compatibility with previous defaults + instack_env['DOCKER_INSECURE_REGISTRIES'] = json.dumps( + [instack_env['LOCAL_IP'] + ':' + '8787', + CONF.undercloud_admin_host + ':' + '8787']) + # We're not in a chroot so this doesn't make sense, and it causes weird # errors if it's set. if instack_env.get('DIB_YUM_REPO_CONF'): diff --git a/releasenotes/notes/insecure_registries-58ffd10f75112b31.yaml b/releasenotes/notes/insecure_registries-58ffd10f75112b31.yaml new file mode 100644 index 000000000..f111b559f --- /dev/null +++ b/releasenotes/notes/insecure_registries-58ffd10f75112b31.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Introduce docker_insecure_registries that is an array of host/port + combiniations of docker insecure registries. The default value will + be the previous parameter that were hardcoded, but now we can easily + override it in undercloud.conf. diff --git a/undercloud.conf.sample b/undercloud.conf.sample index 969674610..e5493410c 100644 --- a/undercloud.conf.sample +++ b/undercloud.conf.sample @@ -120,8 +120,9 @@ # Path to network config override template. If set, this template will # be used to configure the networking via os-net-config. Must be in -# json format. If you wish to disable os-net-config you can use an -# set this location to point to an empty file. +# json format. Templated tags can be used within the template, see +# instack-undercloud/elements/undercloud-stack-config/net- +# config.json.template for example tags (string value) #net_config_override = # Network interface on which inspection dnsmasq will listen. If in @@ -187,6 +188,10 @@ # undercloud. (boolean value) #enable_container_images_build = true +# Array of host/port combiniations of docker insecure registries. +# (string value) +#docker_insecure_registries = + # One Time Password to register Undercloud node with an IPA server. # Required when enable_novajoin = True. (string value) #ipa_otp =