Skip to content

cephadm: add --registry-{password,username} options#35217

Closed
tchaikov wants to merge 3 commits intoceph:masterfrom
tchaikov:wip-cephadm-login
Closed

cephadm: add --registry-{password,username} options#35217
tchaikov wants to merge 3 commits intoceph:masterfrom
tchaikov:wip-cephadm-login

Conversation

@tchaikov
Copy link
Contributor

@tchaikov tchaikov commented May 23, 2020

allow user to log into container registry with the specified
credentials. this helps user to address the issue if the registry is
protected by authentication machinary.

Signed-off-by: Kefu Chai kchai@redhat.com

Checklist

  • References tracker ticket
  • Updates documentation if necessary
  • Includes tests for new functionality or reproducer for bug
Show available Jenkins commands
  • jenkins retest this please
  • jenkins test classic perf
  • jenkins test crimson perf
  • jenkins test signed
  • jenkins test make check
  • jenkins test make check arm64
  • jenkins test submodules
  • jenkins test dashboard
  • jenkins test dashboard backend
  • jenkins test docs
  • jenkins render docs
  • jenkins test ceph-volume all
  • jenkins test ceph-volume tox

@tchaikov tchaikov requested a review from a team as a code owner May 23, 2020 17:07
@tchaikov
Copy link
Contributor Author

tchaikov commented May 23, 2020

see also https://tracker.ceph.com/issues/45631

sebastian-philipp
sebastian-philipp reviewed May 23, 2020
View reviewed changes
@sebastian-philipp
Copy link
Contributor

sebastian-philipp commented May 23, 2020

mypy:

==================================== ERRORS ====================================
____________________ ERROR collecting tests/test_cephadm.py ____________________
tests/test_cephadm.py:11: in <module>
    cd = SourceFileLoader('cephadm', 'cephadm').load_module()
cephadm:2220: in <module>
    @container_registry_credentials()
cephadm:1160: in __init__
    if not args.registry_username:
E   NameError: name 'args' is not defined

thanks for the PR! Just a few minor questions:

  1. do we need mgr/cephadm module options as well? otherwise no one will add the arguments?
  2. we we need that in the unit files as well? I mean, podman run might also pull befor running the container.
  3. fixes https://tracker.ceph.com/issues/44886 as well?
  4. do you know https://www.mankier.com/5/containers-auth.json ?

@tchaikov
Copy link
Contributor Author

tchaikov commented May 24, 2020
edited
Loading

mypy:

==================================== ERRORS ====================================
____________________ ERROR collecting tests/test_cephadm.py ____________________
tests/test_cephadm.py:11: in <module>
    cd = SourceFileLoader('cephadm', 'cephadm').load_module()
cephadm:2220: in <module>
    @container_registry_credentials()
cephadm:1160: in __init__
    if not args.registry_username:
E   NameError: name 'args' is not defined

thanks for the PR! Just a few minor questions:

  1. do we need mgr/cephadm module options as well? otherwise no one will add the arguments?

Yes, we need a way to pass these options down when cephadm is called by mgr/cephadm.

  1. we we need that in the unit files as well? I mean, podman run might also pull befor running the container.

Agreed. But I like the cached registry better. if we cannot have it sooner, i will have to add this in qa/ as well.

  1. fixes https://tracker.ceph.com/issues/44886 as well?

I was not sure if it was an acceptable fix when working on this last night. But seems you are interested in this. And it’s actually a feature! not yet, i want to talk to @djgalloway to see if we can setup a http proxy to cache the images. my intention is to address https://tracker.ceph.com/issues/45631 ASAP as our tests are failing.

  1. do you know https://www.mankier.com/5/containers-auth.json ?

i know. that's why i want to logout to avoid security issues by calling "logout". do you have better idea how to keep this cached credentials around without hurting the performance? how about having a global instance of this decorator / context manager, and call "logout" in its destructor?

@tchaikov tchaikov force-pushed the wip-cephadm-login branch from 24e44ea to 3917603 Compare May 24, 2020 02:11
@tchaikov
Copy link
Contributor Author

tchaikov commented May 24, 2020
edited
Loading

  1. do you know https://www.mankier.com/5/containers-auth.json ?

i know. that's why i want to logout to avoid security issues by calling "logout". do you have better idea how to keep this cached credentials around without hurting the performance? how about having a global instance of this decorator / context manager, and call "logout" in its destructor?

after a second thought, i am not sure about ir anymore. as "logout" command nukes all the cached credentials. no matter if they are added by cephadm or not.

but i am keeping it anyway. if you think i should remove it, i will do.

meh, i removed it, as it's difficult to use a class to define a decorator, and to initialize this decorator requires a variable (args) not set yet by then.

@tchaikov tchaikov force-pushed the wip-cephadm-login branch 4 times, most recently from e2e881c to 2989288 Compare May 24, 2020 05:20
tchaikov added 3 commits May 24, 2020 13:25
@tchaikov
cephadm: add --registry-{password,username} options
c00efc2 
allow user to log into container registry with the specified
credentials. this helps user to address the issue if the registry is
protected by authentication machinary.

a global variable of `container_registry_credentials` is introduced. it
is an instance of `ContainerRegistryCredentials` which serves as an
decorator and also as a context manager.

Fixes: https://tracker.ceph.com/issues/44886
Signed-off-by: Kefu Chai <kchai@redhat.com>
@tchaikov
mgr/cephadm: drop py2 compatible bits
570db8f 
since we've dropped Python3 support in octopus, there is no need to keep
the workaround for python2 anymore.

Signed-off-by: Kefu Chai <kchai@redhat.com>
@tchaikov
mgr/cephadm: add options for registry login
a8d0341 
these options allow user to login to a container registry when, for
instance, pulling images from configured container registry.

with this change, mgr/cephadm passes these options down to cephadm,
when deploying a daemon.

Fixes: https://tracker.ceph.com/issues/44886
Signed-off-by: Kefu Chai <kchai@redhat.com>
@tchaikov tchaikov force-pushed the wip-cephadm-login branch from 2989288 to a8d0341 Compare May 24, 2020 05:25
@sebastian-philipp
Copy link
Contributor

sebastian-philipp commented May 25, 2020

Caching within cephadm itself won't help.

  1. There is typically only one container created per invocation. (the exception is bootstrap, which creates two containers in a single invocation)
  2. deploying a daemon doesn't pull anything: pulling the containers is executed by `podman ru in the context of the systemd unit.
  3. There is no such thing as a 'global instance'. src/cephadm is just a CLI tool without any persistent state.

Also, how do you make cephadm shell work without adding the registry credentials all the time?

Which makes me think. Having a solution where podman run just works ootb would be my preferred way to get this done.

@sebastian-philipp
Copy link
Contributor

sebastian-philipp commented May 25, 2020

https://pad.ceph.com/p/cephadm-registry-credentials

@sebastian-philipp
Copy link
Contributor

sebastian-philipp commented May 27, 2020

still this PR makes sense, if it is done right. @tchaikov you want to continue working on this?

@tchaikov
Copy link
Contributor Author

tchaikov commented May 27, 2020

this PR was created to address the test failures. since it has been fixed by you, its priority is now lowered. i will come back once i have more bandwidth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sebastian-philipp sebastian-philipp sebastian-philipp left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cephadm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tchaikov @sebastian-philipp