starlingx
/
config
Code Issues Proposed changes

Refresh local registry auth info each time when access local registry 

(cherry picked from commit 423a475aff)

Local registry uses admin account password as authentication info.
And this password may be changed by openstack client at any time.
When sysinv tries to download images from local registry, it cannot
cache the auth info, otherwise it may lead to authentication failure
in keystone, and account be locked at the end.

Partial-Bug: 1853017

Change-Id: I07f273a05a1bc3c08b48d13c94eb6df6aecdf7c3
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
This commit is contained in:
Shuicheng Lin 2020-03-12 14:06:08 +08:00
parent 7e5e887eb3
commit a70ecf4baa
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py
View File

@ -732,7 +732,6 @@ class AppOperator(object):
start = time.time() start = time.time()
try: try:
local_registry_auth = get_local_docker_registry_auth()
with self._lock: with self._lock:
self._docker._retrieve_specified_registries() self._docker._retrieve_specified_registries()
except Exception as e: except Exception as e:
@ -744,7 +743,7 @@ class AppOperator(object):
pool = greenpool.GreenPool(size=threads) pool = greenpool.GreenPool(size=threads)
for tag, success in pool.imap( for tag, success in pool.imap(
functools.partial(self._docker.download_an_image, functools.partial(self._docker.download_an_image,
app.name, local_registry_auth), app.name),
images_to_download): images_to_download):
if success: if success:
continue continue
@ -2685,7 +2684,7 @@ class DockerHelper(object):
# Failed to get a docker client # Failed to get a docker client
LOG.error("Failed to stop Armada service : %s " % e) LOG.error("Failed to stop Armada service : %s " % e)
def download_an_image(self, app_name, local_registry_auth, img_tag): def download_an_image(self, app_name, img_tag):
rc = True rc = True
@ -2698,6 +2697,7 @@ class DockerHelper(object):
LOG.info("Image %s download started from local registry" % img_tag) LOG.info("Image %s download started from local registry" % img_tag)
client = docker.APIClient(timeout=INSTALLATION_TIMEOUT) client = docker.APIClient(timeout=INSTALLATION_TIMEOUT)
local_registry_auth = get_local_docker_registry_auth()
client.pull(img_tag, auth_config=local_registry_auth) client.pull(img_tag, auth_config=local_registry_auth)
except docker.errors.NotFound: except docker.errors.NotFound:
try: try:
@ -2718,6 +2718,9 @@ class DockerHelper(object):
try: try:
# Tag and push the image to the local registry # Tag and push the image to the local registry
client.tag(target_img_tag, img_tag) client.tag(target_img_tag, img_tag)
# admin password may be changed by openstack client cmd in parallel.
# So we cannot cache auth info, need refresh it each time.
local_registry_auth = get_local_docker_registry_auth()
client.push(img_tag, auth_config=local_registry_auth) client.push(img_tag, auth_config=local_registry_auth)
except Exception as e: except Exception as e:
rc = False rc = False