[DO NOT MERGE] Fix creation of internal registry #21
Conversation
Privileged service account need to be specified for registry in order to mount host volumes. Signed-off-by: Michal Minar <[email protected]>
|
Using a hostDir volume mount (via --mount-host) is acceptable for POCs, but not for production use. See https://docs.openshift.com/enterprise/3.0/admin_guide/install/docker_registry.html#storage-for-the-registry for more details. If you want this PR to go in, I recommend adding a huge disclaimer that --mount-host is only for POCs and that persistent volumes should be used for production. |
|
+1, please add a warning that is displayed by the CLI tools that mentions production readiness and data consistency issues related multiple registries. |
eap-latest-setup.md
Outdated
There was a problem hiding this comment.
two questions:
- Is host dir what we want, or do we want persistent volumes?
- @pweil-, is privileged necessary just to get host dir? I'd rather have an scc that allows host dir specifically and add the registry service account to that
There was a problem hiding this comment.
is privileged necessary just to get host dir? I'd rather have an scc that allows host dir specifically and add the registry service account to that
The ideal would be to create an SCC with the minimal set of permissions to allow host dir and leave the privileged SCC limited to cluster administrators only. Ultimately, we do not recommend this way of running the registry though so I wonder about the value of documenting it so thoroughly in the context of the registry and not just in a generic "here's how you add a service account to another SCC". We could provide detailed documentation about persistent storage as the correct way to run the registry.
All that said, in the admin/router command it also requests a privileged container if you're using a host mount (https://github.com/pweil-/origin/blob/master/pkg/cmd/admin/registry/registry.go#L250-250). @ncdc - I imagine there was a reason for this? Dir permissions perhaps? I'd be interested to see what happens if we removed that and tested by enabling host dir in the restricted SCC.
There was a problem hiding this comment.
Host Dir is incredibly dangerous - its effectively root in some cases.
It's less dangerous than priv, but only slightly.
On Jul 17, 2015, at 9:57 AM, Jordan Liggitt [email protected]
wrote:
In eap-latest-setup.md
#21 (comment)
:
- metadata:
name: registry- EOF
+Next step is to make it privileged. This is achieved by adding service
+account's user name to a list of users of privileged SCC. Such a name looks
+like this:
+
- system:serviceaccount::
+Where
<namespace>isdefaultbecause we set up registry in the default
+namespace and<name>is whatever we used in previousoc createcommand.
+
+Type following command and add the user name:
+
- oc edit scc priveliged
two questions:
- Is host dir what we want, or do we want persistent volumes?
- @pweil- https://github.com/pweil-, is privileged necessary just to get
host dir? I'd rather have an scc that allows host dir specifically and add
the registry service account to that
—
Reply to this email directly or view it on GitHub
https://github.com/projectatomic/atomic-enterprise-training/pull/21/files#r34891001
.
|
Note OpenShift has useful docs on this here: https://docs.openshift.org/latest/admin_guide/install/docker_registry.html |
|
@ncdc that's good point. In terms of tutorial, this POC way gets you faster to your goal so I think it's ok in this case. I'll add the warning. @cgwalters thanks. I didn't find it before. I'll incorporate few things and refer to this page. |
Added references to thorough registry documentation. Simplified some commands. Fixed typos. Signed-off-by: Michal Minar <[email protected]>
|
Hopefully all the issues were addressed. |
7 participants
Privileged service account need to be specified for registry in order
to mount host volumes.
Depends on PR#50.
Signed-off-by: Michal Minar [email protected]