[k8s-fcos] Fix insecure registry
At present, insecure registry doesn't work as expected when Podman is
used. This patch addresses the issue by fixing the ignition user data so
that Podman is configured correctly. Then it ensures that
--insecure-registry flag is provided to Docker in /etc/sysconfig/docker.
Story: 2008479
Task: 41519
Change-Id: I2e1c86e0c88ab5b59185fd523e9c9696ce0f951e
(cherry picked from commit 7bfd7519af
)
This commit is contained in:
parent
9621d8e43d
commit
8e4daebaea
|
@ -450,11 +450,11 @@ if [ -f /etc/sysconfig/docker ] ; then
|
|||
sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
|
||||
# json-file is required for conformance.
|
||||
# https://docs.docker.com/config/containers/logging/json-file/
|
||||
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker
|
||||
|
||||
DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
|
||||
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
|
||||
echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
|
||||
DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
|
||||
fi
|
||||
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
|
||||
fi
|
||||
|
||||
KUBELET_ARGS="${KUBELET_ARGS} --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
|
||||
|
|
|
@ -263,11 +263,11 @@ if [ -f /etc/sysconfig/docker ] ; then
|
|||
sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
|
||||
# json-file is required for conformance.
|
||||
# https://docs.docker.com/config/containers/logging/json-file/
|
||||
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5 /' /etc/sysconfig/docker
|
||||
|
||||
DOCKER_OPTIONS="--log-driver=json-file --log-opt max-size=10m --log-opt max-file=5"
|
||||
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
|
||||
echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
|
||||
DOCKER_OPTIONS="${DOCKER_OPTIONS} --insecure-registry ${INSECURE_REGISTRY_URL}"
|
||||
fi
|
||||
sed -i -E 's/^OPTIONS=("|'"'"')/OPTIONS=\1'"${DOCKER_OPTIONS}"' /' /etc/sysconfig/docker
|
||||
fi
|
||||
|
||||
KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${CONTAINER_INFRA_PREFIX:-gcr.io/google_containers/}pause:3.1"
|
||||
|
|
|
@ -5,9 +5,9 @@
|
|||
#
|
||||
# You can use podman or docker to generate the ignition formatted json:
|
||||
# podman run --rm \
|
||||
# -v ./fcct-config.yaml:/config.fcc:z \
|
||||
# quay.io/coreos/fcct:release \
|
||||
# --pretty --strict --input /config.fcc > ./user_data.json
|
||||
# -v $(pwd)/fcct-config.yaml:/config.fcc \
|
||||
# quay.io/coreos/fcct:release \
|
||||
# --pretty --strict /config.fcc > ./user_data.json
|
||||
#
|
||||
# [0] https://github.com/coreos/fcct
|
||||
# [1] https://github.com/coreos/fedora-coreos-docs/blob/master/modules/ROOT/pages/producing-ign.adoc
|
||||
|
@ -69,6 +69,18 @@ storage:
|
|||
# -1 is unlimited
|
||||
# 50m
|
||||
max_log_size = 52428800
|
||||
- path: /etc/containers/__REGISTRIES_CONF__
|
||||
# 420 (decimal) == 644 (octal)
|
||||
mode: 420
|
||||
user:
|
||||
name: root
|
||||
group:
|
||||
name: root
|
||||
append:
|
||||
- inline: |
|
||||
[[registry]]
|
||||
location = "__INSECURE_REGISTRY_URL__"
|
||||
insecure = true
|
||||
- path: /etc/hostname
|
||||
# 420 (decimal) == 644 (octal)
|
||||
mode: 420
|
||||
|
|
|
@ -708,6 +708,14 @@ resources:
|
|||
__HTTPS_PROXY__: {get_param: https_proxy}
|
||||
__NO_PROXY__: {get_param: no_proxy}
|
||||
__SELINUX_MODE__: {get_param: selinux_mode}
|
||||
__INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
|
||||
__REGISTRIES_CONF__:
|
||||
if:
|
||||
- equals:
|
||||
- get_param: insecure_registry_url
|
||||
- ""
|
||||
- ".registries.conf"
|
||||
- "registries.conf"
|
||||
|
||||
master_config:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
|
|
@ -402,6 +402,14 @@ resources:
|
|||
__HTTPS_PROXY__: {get_param: https_proxy}
|
||||
__NO_PROXY__: {get_param: no_proxy}
|
||||
__SELINUX_MODE__: {get_param: selinux_mode}
|
||||
__INSECURE_REGISTRY_URL__: {get_param: insecure_registry_url}
|
||||
__REGISTRIES_CONF__:
|
||||
if:
|
||||
- equals:
|
||||
- get_param: insecure_registry_url
|
||||
- ""
|
||||
- ".registries.conf"
|
||||
- "registries.conf"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
|
|
@ -75,6 +75,21 @@
|
|||
},
|
||||
"mode": 420
|
||||
},
|
||||
{
|
||||
"group": {
|
||||
"name": "root"
|
||||
},
|
||||
"path": "/etc/containers/__REGISTRIES_CONF__",
|
||||
"user": {
|
||||
"name": "root"
|
||||
},
|
||||
"append": [
|
||||
{
|
||||
"source": "data:,%5B%5Bregistry%5D%5D%0Alocation%20%3D%20%22__INSECURE_REGISTRY_URL__%22%0Ainsecure%20%3D%20true%0A"
|
||||
}
|
||||
],
|
||||
"mode": 420
|
||||
},
|
||||
{
|
||||
"group": {
|
||||
"name": "root"
|
||||
|
|
Loading…
Reference in New Issue