etsauer
commented
8 years ago @abutcher, can we get your thoughts on this? We're working towards having our registry both secured and exposed as part of the install.
Closed JayKayy closed 8 years ago
etsauer
commented
8 years ago @abutcher, can we get your thoughts on this? We're working towards having our registry both secured and exposed as part of the install.
etsauer
commented
8 years ago @detiber @JayKayy hmm... on second look, it does appear we are doing a delegate_to: first_master for this step. Not sure exactly what it's hanging on, but this is the debug output:
TASK [secure-registry : Copy registry cert to kubernetes service directory] ****
task path: /root/repository/rhc-ose-JayKayy/rhc-ose-ansible/roles/secure-registry/tasks/main.yaml:132
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> ESTABLISH SSH CONNECTION FOR USER: None
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r casl-esauer-1467940863-master1.d2.etl.practice.redhat.com '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1467997809.12-201285103164488 `" && echo ansible-tmp-1467997809.12-201285103164488="` echo $HOME/.ansible/tmp/ansible-tmp-1467997809.12-201285103164488 `" ) && sleep 0'"'"''
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> ESTABLISH SSH CONNECTION FOR USER: None
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r casl-esauer-1467940863-master1.d2.etl.practice.redhat.com '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1467997809.15-199681651989441 `" && echo ansible-tmp-1467997809.15-199681651989441="` echo $HOME/.ansible/tmp/ansible-tmp-1467997809.15-199681651989441 `" ) && sleep 0'"'"''
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> ESTABLISH SSH CONNECTION FOR USER: None
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r casl-esauer-1467940863-master1.d2.etl.practice.redhat.com '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1467997809.18-1099701842652 `" && echo ansible-tmp-1467997809.18-1099701842652="` echo $HOME/.ansible/tmp/ansible-tmp-1467997809.18-1099701842652 `" ) && sleep 0'"'"''
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> ESTABLISH SSH CONNECTION FOR USER: None
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r casl-esauer-1467940863-master1.d2.etl.practice.redhat.com '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1467997809.18-194714862812184 `" && echo ansible-tmp-1467997809.18-194714862812184="` echo $HOME/.ansible/tmp/ansible-tmp-1467997809.18-194714862812184 `" ) && sleep 0'"'"''
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> ESTABLISH SSH CONNECTION FOR USER: None
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r casl-esauer-1467940863-master1.d2.etl.practice.redhat.com '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1467997809.21-102697401503736 `" && echo ansible-tmp-1467997809.21-102697401503736="` echo $HOME/.ansible/tmp/ansible-tmp-1467997809.21-102697401503736 `" ) && sleep 0'"'"''
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> PUT /tmp/tmpt8rDMI TO /root/.ansible/tmp/ansible-tmp-1467997809.12-201285103164488/command
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r '[casl-esauer-1467940863-master1.d2.etl.practice.redhat.com]'
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> PUT /tmp/tmpfU7TFG TO /root/.ansible/tmp/ansible-tmp-1467997809.15-199681651989441/command
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r '[casl-esauer-1467940863-master1.d2.etl.practice.redhat.com]'
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> PUT /tmp/tmpMWausc TO /root/.ansible/tmp/ansible-tmp-1467997809.18-194714862812184/command
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r '[casl-esauer-1467940863-master1.d2.etl.practice.redhat.com]'
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> PUT /tmp/tmpJdiSAV TO /root/.ansible/tmp/ansible-tmp-1467997809.18-1099701842652/command
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r '[casl-esauer-1467940863-master1.d2.etl.practice.redhat.com]'
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> PUT /tmp/tmprYMcCf TO /root/.ansible/tmp/ansible-tmp-1467997809.21-102697401503736/command
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r '[casl-esauer-1467940863-master1.d2.etl.practice.redhat.com]'
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> ESTABLISH SSH CONNECTION FOR USER: None
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r -tt casl-esauer-1467940863-master1.d2.etl.practice.redhat.com '/bin/sh -c '"'"'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1467997809.12-201285103164488/command; rm -rf "/root/.ansible/tmp/ansible-tmp-1467997809.12-201285103164488/" > /dev/null 2>&1 && sleep 0'"'"''
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> ESTABLISH SSH CONNECTION FOR USER: None
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r -tt casl-esauer-1467940863-master1.d2.etl.practice.redhat.com '/bin/sh -c '"'"'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1467997809.18-1099701842652/command; rm -rf "/root/.ansible/tmp/ansible-tmp-1467997809.18-1099701842652/" > /dev/null 2>&1 && sleep 0'"'"''
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> ESTABLISH SSH CONNECTION FOR USER: None
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r -tt casl-esauer-1467940863-master1.d2.etl.practice.redhat.com '/bin/sh -c '"'"'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1467997809.18-194714862812184/command; rm -rf "/root/.ansible/tmp/ansible-tmp-1467997809.18-194714862812184/" > /dev/null 2>&1 && sleep 0'"'"''
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> ESTABLISH SSH CONNECTION FOR USER: None
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> ESTABLISH SSH CONNECTION FOR USER: None
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r -tt casl-esauer-1467940863-master1.d2.etl.practice.redhat.com '/bin/sh -c '"'"'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1467997809.15-199681651989441/command; rm -rf "/root/.ansible/tmp/ansible-tmp-1467997809.15-199681651989441/" > /dev/null 2>&1 && sleep 0'"'"''
<casl-esauer-1467940863-master1.d2.etl.practice.redhat.com> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r -tt casl-esauer-1467940863-master1.d2.etl.practice.redhat.com '/bin/sh -c '"'"'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1467997809.21-102697401503736/command; rm -rf "/root/.ansible/tmp/ansible-tmp-1467997809.21-102697401503736/" > /dev/null 2>&1 && sleep 0'"'"''Is there a reason we're doing command: scp rather than using the copy module?
etsauer
commented
8 years ago @JayKayy I get an error right from the start:
[root@2ef2ed4ed5b6 repository]# ansible-playbook -i secure-registry-inv ./rhc-ose-JayKayy/rhc-ose-ansible/roles/secure-registry/test/secure-registry.yaml
ERROR! 'creates' is not a valid attribute for a Task
The error appears to have been in '/root/repository/rhc-ose-JayKayy/rhc-ose-ansible/roles/secure-registry/tasks/main.yaml': line 44, column 5, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: "Creating certificate..."
^ here@JayKayy looks good now. Only additional piece is that I would like this to be incorporated into the ose-provision playbook.
etsauer
commented
8 years ago @abutcher, is this something you would like to see in the upstream or keep it here for now?
abutcher
commented
8 years ago @etsauer keep here for now. I'd like to see the functionality in upstream but the implementation would have be a little different to fold into our existing registry situation. Also would love fully idempotent tasks in an upstream implementation
etsauer
commented
8 years ago @JayKayy oh, I did miss some of @abutcher's earlier comments... can we remove the "name" line from the fail blocks? Also a check for whether we've already secured the registry would be a big improvement. is there a more sophisticated way to do that then to grep the logs?
JayKayy
commented
8 years ago @etsauer What makes the most sense to me for checking if it is already secured would be checking for a ca.crt file on any play host under the registry's /etc/docker/certs.d/{registry dir}/ca.crt. But that could get messy if youre trying to re-secure the registry with a different cert. Thoughts?
etsauer
commented
8 years ago @JayKayy I wouldn't want to rely on looking at the client side to see if the registry server is secured. I would rather have a check for the environment variables that define the crt path in the dc.
etsauer
commented
8 years ago LGTM. Merging.
What does this PR do?
Ansible role for securing OSE internal docker registry. This role will secure the registry with a provided certificate else this role will generate a certificate to use for securing.
How should this be manually tested?
On an environment with a running docker registry already deployed. (tested on 3.1, however 3.2 shouldn't change anything) fill out the variables in the
secure-registry.yamlto your specifications for securingthe registry. Then run the playbook:ansible-playbook -i <inventory> rhc-ose/rhc-ose-ansible/roles/secure-registry/test/secure-registry.yamlNote: You may need to issue a redeploy of the registry. The ansible role restarts the docker service after configuring certificates, which may break current deployments kicked off by config changes.
To validate:
oc logs <docker registry pod>and ensure its running in TLS mode:level=info msg="listening on :5000, tls"Authenticate to the docker registry and do a pull-tag-push.
$ docker pull busybox $ docker tag docker.io/busybox 172.30.124.220:5000/<project>/busybox $ docker push 172.30.124.220:5000/openshift/busyboxIs there a relevant Issue open for this?
N/A
Who would you like to review this?
/cc @etsauer @sabre1041 @oybed