-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkg/asset/ignition/bootstrap: Add /root/.docker/config.json #775
pkg/asset/ignition/bootstrap: Add /root/.docker/config.json #775
Conversation
0099514
to
dfbf1ef
Compare
Before this lands, we'll want to make sure it fixes CI for #773. |
dfbf1ef
to
d273367
Compare
@smarterclayton, we can run CI on this and secret images by cherry-picking it onto #773 (which is what I'm doing now), but it would be good to be running CI for "can we launch from private images?" in master without hacks like that. Can we get pull-secret protections for at least one constituent image on the CI registry? Maybe the release payload? Or is that not easy with installer CI using |
@wking: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
e2e-aws failed to generate the
I'll investigate in a fresh CI cluster: /retest |
We already provide /opt/tectonic/manifests/pull.json with a Kubernetes secret that contains the auth JSON, but the new file has the auth JSON without any wrapping. This resolves issues with auth-protected update payloads [1]: [core@ip-10-0-10-189 ~]$ journalctl -n5 -u bootkube.service -- Logs begin at Mon 2018-12-03 06:54:37 UTC, end at Mon 2018-12-03 07:24:52 UTC. -- Dec 03 07:24:48 ip-10-0-10-189 bootkube.sh[696]: Trying to pull quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b...Failed Dec 03 07:24:48 ip-10-0-10-189 bootkube.sh[696]: unable to pull quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b: unable to pull image: Error determining manifest MIME type for docker://quay.io/openshift-release-dev/ocp-v4.0@sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b: Error reading manifest sha256:69bae91f6a933045175170cebd1caf00b8216a096fd4d402c41957a99aa3435b in quay.io/openshift-release-dev/ocp-v4.0: unauthorized: access to the requested resource is not authorized Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: bootkube.service: main process exited, code=exited, status=125/n/a Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: Unit bootkube.service entered failed state. Dec 03 07:24:48 ip-10-0-10-189 systemd[1]: bootkube.service failed. I think the ~/.docker directory name is unfortunate, since we're not actually using Docker at all. But ~/.docker/config.json is an auth location shared by Podman [2], CRI-O [3], and the kubelet [4]. And it's the most generic on-disk location that will survive reboots (/run will not [5]). I've also renamed the manifest template variable to PullSecretBase64 to distinguish it from the unencoded PullSecret I'm adding to the bootstrap template parameters. These are different template parameter sets, but I think recycling the same name would be unnecessarily confusing. [1]: openshift#773 (comment) [2]: https://github.com/containers/libpod/blob/v0.11.1.1/docs/podman-pull.1.md#options [3]: https://github.com/kubernetes-sigs/cri-o/blob/master/vendor/github.com/containers/image/pkg/docker/config/config.go#L32 [4]: https://kubernetes.io/docs/concepts/containers/images/#configuring-nodes-to-authenticate-to-a-private-registry [5]: http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html#runPurpose
d273367
to
791a41c
Compare
Issue was a missing |
This is slated but depends on other gating factors. We are going to
automatically promote and test, but not quite yet.
I have been leaning towards that because we have to get there for beta and
it addresses other customers concerns.
On Dec 3, 2018, at 2:12 PM, W. Trevor King <[email protected]> wrote:
@smarterclayton <https://github.com/smarterclayton>, we can run CI on this
and secret images by cherry-picking it onto #773
<#773> (which is what I'm doing
now), but it would be good to be running CI for "can we launch from private
images?" in master without hacks like that. Can we get pull-secret
protections for at least one constituent image on the CI registry? Maybe
the release payload? Or is that not easy with installer CI using
RELEASE_IMAGE_LATEST since openshift/release#1793
<openshift/release#1793>? Maybe the tooling that
pushes RELEASE_IMAGE_LATEST can push it up as a private image?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#775 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_pyCMDAcBCX04kHN-iXVNOlHRPy4Oks5u1XedgaJpZM4Y-E_P>
.
|
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: crawford, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Through 6585f5d (Merge pull request openshift#775 from wking/pull-secret-for-bootkube.sh, 2018-12-03).
And export
REGISTRY_AUTH_FILE
pointing at that file. We already provide/opt/tectonic/manifests/pull.json
with a Kubernetes secret that contains the auth JSON, but the new file has the auth JSON without any wrapping. This resolves issues with auth-protected update payloads:The environment variable is documented here.
I've also renamed the manifest template variable to
PullSecretBase64
to distinguish it from the unencodedPullSecret
I'm adding to the bootstrap template parameters. These are different template parameter sets, but I think recycling the same name would be unnecessarily confusing.