From 0a86107dccfdffa7476c61312f0c3b5aae7da7b7 Mon Sep 17 00:00:00 2001 From: Joao Eduardo Luis Date: Mon, 11 Oct 2021 17:20:47 +0000 Subject: [PATCH] cephadm: allow pulling from insecure registries Signed-off-by: Joao Eduardo Luis --- src/cephadm/cephadm | 19 ++++++++++++++----- src/cephadm/tests/test_cephadm.py | 1 + src/pybind/mgr/cephadm/module.py | 7 +++++++ src/pybind/mgr/cephadm/serve.py | 6 +++++- 4 files changed, 27 insertions(+), 6 deletions(-) diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm index ed392bd187d75..0b487b489aec3 100755 --- a/src/cephadm/cephadm +++ b/src/cephadm/cephadm @@ -3725,12 +3725,12 @@ def command_version(ctx): def command_pull(ctx): # type: (CephadmContext) -> int - _pull_image(ctx, ctx.image) + _pull_image(ctx, ctx.image, ctx.insecure) return command_inspect_image(ctx) -def _pull_image(ctx, image): - # type: (CephadmContext, str) -> None +def _pull_image(ctx, image, insecure=False): + # type: (CephadmContext, str, bool) -> None logger.info('Pulling container image %s...' % image) ignorelist = [ @@ -3740,8 +3740,12 @@ def _pull_image(ctx, image): ] cmd = [ctx.container_engine.path, 'pull', image] - if isinstance(ctx.container_engine, Podman) and os.path.exists('/etc/ceph/podman-auth.json'): - cmd.append('--authfile=/etc/ceph/podman-auth.json') + if isinstance(ctx.container_engine, Podman): + if insecure: + cmd.append('--tls-verify=false') + + if os.path.exists('/etc/ceph/podman-auth.json'): + cmd.append('--authfile=/etc/ceph/podman-auth.json') cmd_str = ' '.join(cmd) for sleep_secs in [1, 4, 25]: @@ -7401,6 +7405,11 @@ def _get_parser(): parser_pull = subparsers.add_parser( 'pull', help='pull latest image version') parser_pull.set_defaults(func=command_pull) + parser_pull.add_argument( + '--insecure', + action='store_true', + help=argparse.SUPPRESS, + ) parser_inspect_image = subparsers.add_parser( 'inspect-image', help='inspect local container image') diff --git a/src/cephadm/tests/test_cephadm.py b/src/cephadm/tests/test_cephadm.py index d95f76ea1b8f4..af1d086c5a7c1 100644 --- a/src/cephadm/tests/test_cephadm.py +++ b/src/cephadm/tests/test_cephadm.py @@ -1362,6 +1362,7 @@ class TestPull: def test_error(self, get_image_info_from_inspect, call, sleep): ctx = cd.CephadmContext() ctx.container_engine = mock_podman() + ctx.insecure = False call.return_value = ('', '', 0) retval = cd.command_pull(ctx) diff --git a/src/pybind/mgr/cephadm/module.py b/src/pybind/mgr/cephadm/module.py index 41476c1c99207..4742e01932e61 100644 --- a/src/pybind/mgr/cephadm/module.py +++ b/src/pybind/mgr/cephadm/module.py @@ -295,6 +295,12 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule, default=None, desc='Custom repository password' ), + Option( + 'registry_insecure', + type='bool', + default=False, + desc='Registry is to be considered insecure (no TLS available). Only for development purposes.' + ), Option( 'use_repo_digest', type='bool', @@ -402,6 +408,7 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule, self.registry_url: Optional[str] = None self.registry_username: Optional[str] = None self.registry_password: Optional[str] = None + self.registry_insecure: bool = False self.use_repo_digest = True self.default_registry = '' self.autotune_memory_target_ratio = 0.0 diff --git a/src/pybind/mgr/cephadm/serve.py b/src/pybind/mgr/cephadm/serve.py index c93e95cc26c04..e8734cfd21fce 100644 --- a/src/pybind/mgr/cephadm/serve.py +++ b/src/pybind/mgr/cephadm/serve.py @@ -1309,7 +1309,11 @@ class CephadmServe: self._registry_login(host, self.mgr.registry_url, self.mgr.registry_username, self.mgr.registry_password) - j = self._run_cephadm_json(host, '', 'pull', [], image=image_name, no_fsid=True) + pullargs: List[str] = [] + if self.mgr.registry_insecure: + pullargs.append("--insecure") + + j = self._run_cephadm_json(host, '', 'pull', pullargs, image=image_name, no_fsid=True) r = ContainerInspectInfo( j['image_id'], -- 2.47.3