From 423a475aff4f9ea1b60af6a9a2989027d1506f10 Mon Sep 17 00:00:00 2001 From: Shuicheng Lin Date: Thu, 12 Mar 2020 14:06:08 +0800 Subject: [PATCH] Refresh local registry auth info each time when access local registry Local registry uses admin account password as authentication info. And this password may be changed by openstack client at any time. When sysinv tries to download images from local registry, it cannot cache the auth info, otherwise it may lead to authentication failure in keystone, and account be locked at the end. Partial-Bug: 1853017 Change-Id: I07f273a05a1bc3c08b48d13c94eb6df6aecdf7c3 Signed-off-by: Shuicheng Lin --- sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py | 9 ++++++--- sysinv/sysinv/sysinv/sysinv/conductor/manager.py | 2 -- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py b/sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py index 36a4d45f87..751318c2a1 100644 --- a/sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py +++ b/sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py @@ -707,7 +707,6 @@ class AppOperator(object): start = time.time() try: - local_registry_auth = cutils.get_local_docker_registry_auth() with self._lock: self._docker._retrieve_specified_registries() except Exception as e: @@ -719,7 +718,7 @@ class AppOperator(object): pool = greenpool.GreenPool(size=threads) for tag, success in pool.imap( functools.partial(self._docker.download_an_image, - app.name, local_registry_auth), + app.name), images_to_download): if success: continue @@ -2926,7 +2925,7 @@ class DockerHelper(object): # Failed to get a docker client LOG.error("Failed to stop Armada service : %s " % e) - def download_an_image(self, app_name, local_registry_auth, img_tag): + def download_an_image(self, app_name, img_tag): rc = True @@ -2939,6 +2938,7 @@ class DockerHelper(object): LOG.info("Image %s download started from local registry" % img_tag) client = docker.APIClient(timeout=INSTALLATION_TIMEOUT) + local_registry_auth = cutils.get_local_docker_registry_auth() auth = '{0}:{1}'.format(local_registry_auth['username'], local_registry_auth['password']) subprocess.check_call(["crictl", "pull", "--creds", auth, img_tag]) @@ -2961,6 +2961,9 @@ class DockerHelper(object): try: # Tag and push the image to the local registry client.tag(target_img_tag, img_tag) + # admin password may be changed by openstack client cmd in parallel. + # So we cannot cache auth info, need refresh it each time. + local_registry_auth = cutils.get_local_docker_registry_auth() client.push(img_tag, auth_config=local_registry_auth) except Exception as e: rc = False diff --git a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py index c0b0476383..a14b82c07c 100644 --- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py +++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py @@ -5344,13 +5344,11 @@ class ConductorManager(service.PeriodicService): "Upgrade in progress." % image_versions.TILLER_IMAGE_VERSION) download_image = running_image_name + ":" + image_versions.TILLER_IMAGE_VERSION - local_registry_auth = cutils.get_local_docker_registry_auth() self._docker._retrieve_specified_registries() # download the image try: img_tag, ret = self._docker.download_an_image("helm", - local_registry_auth, download_image) if not ret: raise Exception