diff options
| author | Michael Gugino <mgugino@redhat.com> | 2017-09-11 13:07:35 -0400 |
|---|---|---|
| committer | Michael Gugino <mgugino@redhat.com> | 2017-09-11 22:15:48 -0400 |
| commit | db30a2eb386930e0b20c8106e334d605e2ae770a (patch) | |
| tree | 3629e6380df5b3e5fa325aee9d1aa871c2b56588 /roles/docker | |
| parent | 4acdef4af89bf2ccc43f9643a2e72a969d11ed04 (diff) | |
| download | openshift-db30a2eb386930e0b20c8106e334d605e2ae770a.tar.gz openshift-db30a2eb386930e0b20c8106e334d605e2ae770a.tar.bz2 openshift-db30a2eb386930e0b20c8106e334d605e2ae770a.tar.xz openshift-db30a2eb386930e0b20c8106e334d605e2ae770a.zip | |
Fix: authenticated registry support for containerized hosts
Currently, openshift-anisble supports authentication to
container registries to pull down openshift container images.
The openshift_verison role uses the docker cli to gather
image information from container registries before authentication
credentials are provided by openshift-ansible.
This commit creates the necessary token to authenticate to
private registries during openshift_version. The token
is generated by the role 'docker' on all hosts where
docker is installed/configured when oreg_auth_users
is defined.
This commit also adds a read-only mount into the
openshift master and node container services. This
mount is '/var/lib/origin/.docker:/root/.docker:ro'.
This is because the container images do not currently
read the values in '/var/lib/origin/.docker' as this
may be a bug upstream.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341
Diffstat (limited to 'roles/docker')
| -rw-r--r-- | roles/docker/defaults/main.yml | 5 | ||||
| -rw-r--r-- | roles/docker/tasks/package_docker.yml | 12 |
2 files changed, 17 insertions, 0 deletions
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index ed97d539c..7e206ded1 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1 +1,6 @@ --- +docker_cli_auth_config_path: '/root/.docker' + +oreg_url: '' +oreg_host: "{{ oreg_url.split('/')[0] if '.' in oreg_url.split('/')[0] else '' }}" +oreg_auth_credentials_replace: False diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index bc52ab60c..145b552a6 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -117,6 +117,18 @@ notify: - restart docker +- name: Check for credentials file for registry auth + stat: + path: "{{ docker_cli_auth_config_path }}/config.json" + when: oreg_auth_user is defined + register: docker_cli_auth_credentials_stat + +- name: Create credentials for docker cli registry auth + command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" + when: + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + - name: Start the Docker service systemd: name: docker |