[k8s-fcos] Fix insecure registry
At present, insecure registry doesn't work as expected when Podman is used. This patch addresses the issue by fixing the ignition user data so that Podman is configured correctly. Then it ensures that --insecure-registry flag is provided to Docker in /etc/sysconfig/docker. Story: 2008479 Task: 41519 Change-Id: I2e1c86e0c88ab5b59185fd523e9c9696ce0f951e
This commit is contained in:
parent
f2aae8834e
commit
7bfd7519af
|
@ -450,11 +450,11 @@ if [ -f /etc/sysconfig/docker ] ; then
|
|||
sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
|
||||
# json-file is required for conformance.
|
||||
# https://docs.docker.com/config/containers/logging/json-file/
|
||||
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker
|
||||
|
||||
DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
|
||||
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
|
||||
echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
|
||||
DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
|
||||
fi
|
||||
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
|
||||
fi
|
||||
|
||||
KUBELET_ARGS="${KUBELET_ARGS} --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
|
||||
|
|
|
@ -263,11 +263,11 @@ if [ -f /etc/sysconfig/docker ] ; then
|
|||
sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
|
||||
# json-file is required for conformance.
|
||||
# https://docs.docker.com/config/containers/logging/json-file/
|
||||
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker
|
||||
|
||||
DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
|
||||
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
|
||||
echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
|
||||
DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
|
||||
fi
|
||||
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
|
||||
fi
|
||||
|
||||
KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${CONTAINER_INFRA_PREFIX:-gcr.io/google_containers/}pause:3.1"
|
||||
|
|
|
@ -5,9 +5,9 @@
|
|||
#
|
||||
# You can use podman or docker to generate the ignition formatted json:
|
||||
# podman run --rm \
|
||||
# -v ./fcct-config.yaml:/config.fcc:z \
|
||||
# quay.io/coreos/fcct:release \
|
||||
# --pretty --strict --input /config.fcc > ./user_data.json
|
||||
# -v $(pwd)/fcct-config.yaml:/config.fcc \
|
||||
# quay.io/coreos/fcct:release \
|
||||
# --pretty --strict /config.fcc > ./user_data.json
|
||||
#
|
||||
# [0] https://github.com/coreos/fcct
|
||||
# [1] https://github.com/coreos/fedora-coreos-docs/blob/master/modules/ROOT/pages/producing-ign.adoc
|
||||
|
@ -69,6 +69,18 @@ storage:
|
|||
# -1 is unlimited
|
||||
# 50m
|
||||
max_log_size = 52428800
|
||||
- path: /etc/containers/__REGISTRIES_CONF__
|
||||
# 420 (decimal) == 644 (octal)
|
||||
mode: 420
|
||||
user:
|
||||
name: root
|
||||
group:
|
||||
name: root
|
||||
append:
|
||||
- inline: |
|
||||
[[registry]]
|
||||
location = "__INSECURE_REGISTRY_URL__"
|
||||
insecure = true
|
||||
- path: /etc/hostname
|
||||
# 420 (decimal) == 644 (octal)
|
||||
mode: 420
|
||||
|
|
|
@ -708,6 +708,14 @@ resources:
|
|||
__HTTPS_PROXY__: {get_param: https_proxy}
|
||||
__NO_PROXY__: {get_param: no_proxy}
|
||||
__SELINUX_MODE__: {get_param: selinux_mode}
|
||||
__INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
|
||||
__REGISTRIES_CONF__:
|
||||
if:
|
||||
- equals:
|
||||
- get_param: insecure_registry_url
|
||||
- ""
|
||||
- ".registries.conf"
|
||||
- "registries.conf"
|
||||
|
||||
master_config:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
|
|
@ -402,6 +402,14 @@ resources:
|
|||
__HTTPS_PROXY__: {get_param: https_proxy}
|
||||
__NO_PROXY__: {get_param: no_proxy}
|
||||
__SELINUX_MODE__: {get_param: selinux_mode}
|
||||
__INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
|
||||
__REGISTRIES_CONF__:
|
||||
if:
|
||||
- equals:
|
||||
- get_param: insecure_registry_url
|
||||
- ""
|
||||
- ".registries.conf"
|
||||
- "registries.conf"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
|
|
@ -63,6 +63,21 @@
|
|||
},
|
||||
"mode": 420
|
||||
},
|
||||
{
|
||||
"group": {
|
||||
"name": "root"
|
||||
},
|
||||
"path": "/etc/containers/__REGISTRIES_CONF__",
|
||||
"user": {
|
||||
"name": "root"
|
||||
},
|
||||
"append": [
|
||||
{
|
||||
"source": "data:,%5B%5Bregistry%5D%5D%0Alocation%20%3D%20%22__INSECURE_REGISTRY_URL__%22%0Ainsecure%20%3D%20true%0A"
|
||||
}
|
||||
],
|
||||
"mode": 420
|
||||
},
|
||||
{
|
||||
"group": {
|
||||
"name": "root"
|
||||
|
|
Loading…
Reference in New Issue