From bbee30c907d86dbc5373f1d1f40722fcf4c89474 Mon Sep 17 00:00:00 2001 From: Alex Schultz Date: Thu, 2 Apr 2020 16:37:47 -0600 Subject: [PATCH] Switch to podman_image module By default the podman_image module has validate_certs enabled which forces the --tls-verify flag. This prevents *any* insecure registry from working. This is different from the default mechanism where SSL registries are required unless explicitly defined in the insecure registries list in /etc/containers/registries.conf. The undercloud is an insecure registry so we don't want to force --tls-verify. Change-Id: I47221977ceeddcfa8e2d3da719692ffe87379ac4 --- deployment/podman/podman-baremetal-ansible.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/deployment/podman/podman-baremetal-ansible.yaml b/deployment/podman/podman-baremetal-ansible.yaml index 35704c057e..174a4a37c3 100644 --- a/deployment/podman/podman-baremetal-ansible.yaml +++ b/deployment/podman/podman-baremetal-ansible.yaml @@ -137,10 +137,18 @@ outputs: - when: - (step|int) == 1 block: - # TODO(mwhahaha): figure out the bug in podman_image + # NOTE(mwhahaha): validate_certs is a misnomer because what it + # actually does is enable the --tls-verify flag which forces + # registries to only be over HTTPS. By default, podman will only + # use HTTPS registries but has a way to configure specific insecure + # and non-HTTPS registries. The --tls-verify flag prevents this + # fallback from functioning. We rely on this fallback for the + # undercloud registry. - name: Pre-fetch all the containers become: true - shell: podman pull "{{ container_image }}" + podman_image: + name: "{{ container_image }}" + validate_certs: false loop_control: loop_var: container_image loop: "{{ lookup('file', tripleo_role_name + '/docker_config.yaml', errors='ignore') | default('{}', True) | from_yaml | recursive_get_key_from_dict(key='image') | unique }}"