Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.6][Backport] Prune images (not)securely #16138

Merged
merged 3 commits into from
Sep 14, 2017
Merged

[3.6][Backport] Prune images (not)securely #16138

merged 3 commits into from
Sep 14, 2017

Conversation

miminar
Copy link

@miminar miminar commented Sep 5, 2017

@openshift-ci-robot openshift-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Sep 5, 2017
@miminar
Copy link
Author

miminar commented Sep 5, 2017

Obsoletes openshift/ose#817

/test all
/test extended_image_registry

@soltysh
Copy link
Contributor

soltysh commented Sep 6, 2017

/lgtm

Not sure who's in charge of approving 3.6 picks. @smarterclayton ?

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 6, 2017
@miminar
Copy link
Author

miminar commented Sep 6, 2017
edited
Loading

@stevekuznetsov the extended_conformance_install_update seems broken for release-3.6:

Failure summary:

  1. Host:     localhost
     Play:     Verify Requirements
     Task:     openshift_health_check
     Message:  One or more checks failed
     Details:  check "package_version":
               Not all of the required packages are available at their requested version
               docker:1.12 
               Please check your subscriptions and enabled repositories.
...
########## FINISHED STAGE: FAILURE: INSTALL ORIGIN [00h 06m 34s] ##########

Update: opened issue #16169
Actually, even master branch is affected. Issue #16143.

@miminar miminar mentioned this pull request Sep 6, 2017
Merged
@miminar
Copy link
Author

miminar commented Sep 12, 2017

/retest

@miminar
Copy link
Author

miminar commented Sep 12, 2017

Yum flake again.

@bparees for pkg/cmd approval.

bparees
bparees requested changes Sep 12, 2017
View reviewed changes
Copy link
Contributor

@bparees bparees left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one nit

pkg/cmd/admin/prune/images.go
%[1]s %[2]s --prune-over-size-limit --confirm

# Force the insecure http protocol with the particular registry host name
%[1]s %[2]s --registry-url=http://registry.example.org --confirm
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this example include the --force-insecure arg?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could, but as the command's help says:

Insecure connection is allowed in the following cases unless certificate-authority is specified:

  1. --force-insecure is given
  2. provided registry-url is prefixed with http://

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it wasn't clear to me that those were "either/or" conditions, I assumed they were both required. (to ensure that someone didn't accidentally use an insecure registry without explicitly intending to do so).

So if it's true that --force-insecure is not a requirement when explicitly indicating http, then i guess I retract my comment.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(but maybe add an "or" to the help text)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, I'll rephrase.

Michal Minář and others added 3 commits September 13, 2017 17:15
image-pruner: Determine protocol just once
7785c02 
Determine the registry protocol once. Do not change to other protocol
during the run. This will produce nicer output without unrelated
protocol fallback errors.

Do not default to insecure connection when the --registry-url is empty.

Move registry client initialization just before the start of the pruner
- so we can precisely determine whether to allow for insecure fall-back
based on collected images and image streams.

Move ping() outside of pruner. Instead, determine the registry URL
before the pruner starts and assume it won't change during the run.

Signed-off-by: Michal Minář <[email protected]>
image-pruner: Reenable registry-url validation
c5b4bc8 
Signed-off-by: Michal Minář <[email protected]>
@soltysh
Retry image stream updates when pruning images
b4bb2f7
@openshift-merge-robot openshift-merge-robot removed the lgtm Indicates that a PR is ready to be merged. label Sep 13, 2017
@bparees
Copy link
Contributor

bparees commented Sep 13, 2017

/lgtm
/retest

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 13, 2017
@openshift-merge-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees, miminar, soltysh

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 13, 2017
@miminar
Copy link
Author

miminar commented Sep 14, 2017

/retest

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot
Copy link
Contributor

Automatic merge from submit-queue

@openshift-merge-robot openshift-merge-robot merged commit afb8ebb into openshift:release-3.6 Sep 14, 2017
@miminar miminar deleted the origin3.6-secure-image-prune branch February 22, 2018 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bparees bparees bparees requested changes

@soltysh soltysh soltysh approved these changes

Assignees

@soltysh soltysh

@liggitt liggitt

@bparees bparees

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@miminar @soltysh @bparees @openshift-merge-robot @openshift-bot @liggitt @openshift-ci-robot