Skip to content

Issue 27612, updated registry path #30805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ahardin-rh merged 1 commit into from
Mar 24, 2021
Merged

Issue 27612, updated registry path #30805

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions modules/machineconfig-modify-registry.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

Settings that define the registries that {product-title} uses to get container images are held in the `/etc/containers/registries.conf` file by default. In that file, you can set registries to not require authentication (insecure), point to mirrored registries, or set which registries are searched for unqualified container image requests.

Rather than change `registries.conf` directly, you can drop configuration files into the `/etc/containers/registries.d` directory that are then automatically appended to the system's existing `registries.conf` settings.
Rather than change `registries.conf` directly, you can drop configuration files into the `/etc/containers/registries.conf.d` directory that are then automatically appended to the system's existing `registries.conf` settings.

This procedure describes how to create a `registries.d` file (`/etc/containers/registries.s/99-worker-unqualified-search-registries.conf`) that adds `quay.io` as an unqualified search registry (one that {product-title} can search when it tries to pull an image name that does not include the registry name). It includes base64-encoded content that you can examine as follows:

Expand All @@ -25,7 +25,7 @@ See the `containers-registries.conf` man page for the format for the `registries

.Procedure

. Create a YAML file (`myregistry.yaml`) to hold the contents of the `/etc/containers/registries.d/99-worker-unqualified-search-registries.conf` file, including the encoded base64 contents for that file. For example:
. Create a YAML file (`myregistry.yaml`) to hold the contents of the `/etc/containers/registries.conf.d/99-worker-unqualified-search-registries.conf` file, including the encoded base64 contents for that file. For example:
Copy link
Member

@vrothberg vrothberg Mar 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And here.

Copy link

@umohnani8 umohnani8 Mar 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

registries.conf.d is actually what we need here as it is talking about adding a drop-in file to modify unqualified-search-registries.

Copy link

@umohnani8 umohnani8 Mar 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ahardin-rh looks like this is a bit outdated. In 4.7, we added a new option to the cluster wide Image CR - containerRuntimeSearchRegistries. Users can use that set their configured list of unqualified-search-registries and the controller rolls out the changes to the appropriate nodes. However, we heavily advice against using unqualified-search-registries and it was documented by https://github.com/openshift/openshift-docs/pull/28152/files.

I think we should not document how someone can do this with a MC, we want users to use our CRDs for making such changes to the node. Signatures are not supported yet, so using an MC for that makes sense, but that is something we are looking to combine into the Image CRD in the future.

Copy link
Contributor Author

@ahardin-rh ahardin-rh Mar 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@umohnani8 Thank you! Should I create a new PR to remove this procedure from the 4.7+ doc set then?

FYI @mburke5678

Copy link

@umohnani8 umohnani8 Mar 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes please, it should be removed from the 4.7 and later docs.

Copy link
Contributor Author

@ahardin-rh ahardin-rh Mar 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@umohnani8 Thank you! I will get this work merged and then remove the procedure from 4.7 and 4.8 in a follow-up PR. Thanks!

+
[source,terminal]
----
Expand All @@ -46,7 +46,7 @@ spec:
source: data:text/plain;charset=utf-8;base64,dW5xdWFsaWZpZWQtc2VhcmNoLXJlZ2lzdHJpZXMgPSBbJ3JlZ2lzdHJ5LmFjY2Vzcy5yZWRoYXQuY29tJywgJ2RvY2tlci5pbycsICdxdWF5LmlvJ10K
filesystem: root
mode: 0420
path: /etc/containers/registries.d/99-worker-unqualified-search-registries.conf
path: /etc/containers/registries.conf.d/99-worker-unqualified-search-registries.conf
EOF
----

Expand Down Expand Up @@ -102,7 +102,7 @@ Starting pod/ip-10-0-141-142us-east-2computeinternal-debug ...
[source,terminal]
----
sh-4.2# chroot /host
sh-4.4# cat /etc/containers/registries.d/99-worker-unqualified-search-registries.conf
sh-4.4# cat /etc/containers/registries.conf.d/99-worker-unqualified-search-registries.conf
unqualified-search-registries = ['registry.access.redhat.com', 'docker.io', 'quay.io']
sh-4.4# exit
----
Copy link
Contributor

@lbarbeevargas lbarbeevargas Mar 24, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The update LGTM. Should these sh-4.4# commands be separated into individual code blocks? Not sure if there is a reason that they weren't when the original work was done to separate multiple commands and commands from their output. :)

6 changes: 3 additions & 3 deletions modules/security-deploy-signature.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ configuration is required.
Signatures that use the `docker` transport type are served by local file or web
server. These signatures are more flexible; you can serve images from any
container image registry and use an independent server to deliver binary
signatures.
signatures.

However, the `docker` transport type requires additional configuration. You must
configure the nodes with the URI of the signature server by placing
Expand All @@ -38,9 +38,9 @@ docker:

In this example, the Red Hat Registry, `access.redhat.com`, is the signature
server that provides signatures for the `docker` transport type. Its URI is
defined in the `sigstore` parameter. You might name this file
defined in the `sigstore` parameter. You might name this file
`/etc/containers/registries.d/redhat.com.yaml` and use the Machine Config
Operator to
automatically place the file on each node in your cluster. No service
restart is required since policy and `registries.d` files are dynamically
loaded by the container runtime.
loaded by the container runtime.
Copy link
Contributor

@lbarbeevargas lbarbeevargas Mar 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this file is just picking up removing extra whitespace at the end of these lines. What do you think about undoing the hard line wraps in this module?

Copy link
Contributor Author

@ahardin-rh ahardin-rh Mar 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, we'll need to do some follow-up work there, but that's out of scope for this PR. Thanks!