Secure vs insecure image pruning #4471
Conversation
|
@legionus PTAL |
|
@soltysh PTAL |
admin_guide/pruning_resources.adoc
Outdated
| used by {product-title}, it needs to be specified using | ||
| `--certificate-authority` flag. Otherwise, the prune command will fail with | ||
| error similar to | ||
| link:#using-insecure-connection-against-secured-registry[the one below]. |
There was a problem hiding this comment.
xref:using-insecure-connection-against-secured-registry[the one below]
admin_guide/pruning_resources.adoc
Outdated
| .^|`--force-insecure` | ||
| |Allow an insecure connection to the docker registry that is hosted | ||
| via HTTP or has an invalid HTTPS certificate. By default, insecure connection | ||
| is allowed only in case where neither certificate-authority nor registry-url is |
There was a problem hiding this comment.
`certificate-authority`
`registry-url`
admin_guide/pruning_resources.adoc
Outdated
| ==== | ||
| If the registry is secured by a certificate authority different from the one | ||
| used by {product-title}, it needs to be specified using | ||
| `--certificate-authority` flag. Otherwise, the prune command will fail with |
There was a problem hiding this comment.
`prune` command
s/with error similar to/with an error similar to
admin_guide/pruning_resources.adoc
Outdated
| It means that your registry is secured using a certificate signed by a | ||
| certificate authority other than the one used by `oadm prune images` client for | ||
| connection verification. By default, the certificate authority data stored in | ||
| user's config are used - the same for communication with the master API. |
There was a problem hiding this comment.
s/config/configuration file
s/-/--
admin_guide/pruning_resources.adoc
Outdated
|
|
||
| It means that your registry is secured using a certificate signed by a | ||
| certificate authority other than the one used by `oadm prune images` client for | ||
| connection verification. By default, the certificate authority data stored in |
There was a problem hiding this comment.
I would move the code block to just before "By default...." so that the first sentence does not get broken up.
admin_guide/pruning_resources.adoc
Outdated
| @@ -188,14 +188,27 @@ particular namespace makes it impossible to calculate their current usage. | |||
|
|
|||
| |Option |Description | |||
|
|
|||
| .^|`--all` | |||
| |Include images that were not pushed to the registry but have been mirrored by | |||
admin_guide/pruning_resources.adoc
Outdated
| @@ -283,9 +306,39 @@ $ oadm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm | |||
| $ oadm prune images --prune-over-size-limit --confirm | |||
| ---- | |||
|
|
|||
| .Using secure or insecure connection | |||
There was a problem hiding this comment.
Perhaps we can use a discrete heading here instead?
admin_guide/pruning_resources.adoc
Outdated
| |=== | ||
|
|
||
| .Determining images and layers eligible for pruning |
There was a problem hiding this comment.
Perhaps we can use a discrete heading here instead?
admin_guide/pruning_resources.adoc
Outdated
| |Allow an insecure connection to the docker registry that is hosted | ||
| via HTTP or has an invalid HTTPS certificate. By default, insecure connection | ||
| is allowed only in case where neither certificate-authority nor registry-url is | ||
| specified. Whenever possible, use `--certificate-authority` instead of this |
There was a problem hiding this comment.
I'd move the last sentence as a NOTE below. Additionally, reword this to something like:
Whenever possible use --certificate-authority, instead. Use of this option is strongly discouraged.
There was a problem hiding this comment.
I've ditched it. There is plenty of other places advocating the same. Instead, I've put (Dangerous) at the beginning.
admin_guide/pruning_resources.adoc
Outdated
| use a cluster-internal URL determined from managed images and image streams. In | ||
| case it fails (the registry cannot be resolved or reached), an alternative route | ||
| that works needs to be provided using this flag. If provided, a secure | ||
| connection will be initiated. To allow a fall-back to insecure transport, use |
There was a problem hiding this comment.
Don't encourage using --force-insecure anywhere, so drop the last sentence. It's already explained and that's it, it should not be used anywhere, though.
admin_guide/pruning_resources.adoc
Outdated
| @@ -283,9 +306,39 @@ $ oadm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm | |||
| $ oadm prune images --prune-over-size-limit --confirm | |||
| ---- | |||
|
|
|||
| .Using secure or insecure connection | |||
|
|
|||
| The secure connection is preferred for production use. It is done over HTTPS | |||
There was a problem hiding this comment.
Suggestion:
The secure connection is the preferred and recommended approach.
It's the recommended as a rule, not only for production.
admin_guide/pruning_resources.adoc
Outdated
| to insecure connection which is dangerous. In this case, either certificate | ||
| verification is skipped or plain HTTP protocol is used. | ||
|
|
||
| The fall-back to insecure connection is allowed in following cases unless |
admin_guide/pruning_resources.adoc
Outdated
| The fall-back to insecure connection is allowed in following cases unless | ||
| `--certicate-authority` is specified: | ||
|
|
||
| 1. The prune command is run with `--force-insecure` option. |
There was a problem hiding this comment.
Add info in parenthesis this is not recommended.
admin_guide/pruning_resources.adoc
Outdated
| attempts to use secure connection. The recommened solution is to | ||
| xref:../install_config/registry/securing_and_exposing_registry.adoc#securing-the-registry[secure | ||
| the registry]. If that is not desired, you may force the client to use insecure | ||
| connection by appending `--force-insecure` to the command. |
There was a problem hiding this comment.
Add not recommended at the end in parens.
miminar
changed the title
|
Now blocked on openshift/origin#14405. I will need to update error messages once it lands. |
|
|
miminar
force-pushed
the
secure-image-pruning
branch
2 times, most recently
from
1bb8a53 to
cecc1f6
Compare
|
Thanks for all the comments. They should be addressed now. The dependency PR is still waiting for the unblocked merge queue. |
miminar
force-pushed
the
secure-image-pruning
branch
from
cecc1f6 to
d82651d
Compare
miminar
changed the title
|
No longer blocked. @ahardin-rh could you please review once more? |
miminar
force-pushed
the
secure-image-pruning
branch
from
d82651d to
3b0ca97
Compare
|
I'd like to make some corrections for earlier releases. Shall I re-open this against |
|
@miminar if we label this PR for 3.5 and 3.6, the changes will be applied there. if 3.5 and 3.6 need a different set of doc, then you'll need to open a separate PR and only label it for 3.5 and 3.6. |
|
@miminar so which versions is this specific PR appropriate for? |
|
@bparees 3.6 - latest; I'll re-submit new PRs for 3.4 and 3.5 |
admin_guide/pruning_resources.adoc
Outdated
| [[image-pruning-problems]] | ||
| === Image Pruning Problems | ||
|
|
||
| [discrete] | ||
| ==== Images not being pruned |
admin_guide/pruning_resources.adoc
Outdated
| @@ -342,6 +392,58 @@ them from ever being pruned. | |||
| xref:../dev_guide/managing_images.adoc#tag-naming[Learn more about _istag_ | |||
| naming.] | |||
|
|
|||
| [discrete] | |||
| [[using-secure-connection-against-insecure-registry]] | |||
| ==== Using secure connection against insecure registry | |||
There was a problem hiding this comment.
Using a Secure Connection Against an Insecure Registry
admin_guide/pruning_resources.adoc
Outdated
| [[using-secure-connection-against-insecure-registry]] | ||
| ==== Using secure connection against insecure registry | ||
|
|
||
| If you see similar message in the output of the `oadm prune images` command: |
There was a problem hiding this comment.
If you see a message similar to the following in the output of the oadm prune images command, then your registry is not secured and the oadm prune images client will attempt to use a secure connection:
admin_guide/pruning_resources.adoc
Outdated
| It means that your registry is not secured and the `oadm prune images` client | ||
| attempts to use secure connection. The recommened solution is to | ||
| xref:../install_config/registry/securing_and_exposing_registry.adoc#securing-the-registry[secure | ||
| the registry]. If that is not desired, you may force the client to use insecure |
There was a problem hiding this comment.
you can force the client to use an insecure
admin_guide/pruning_resources.adoc
Outdated
| connection by appending `--force-insecure` to the command *(not recommended)*. | ||
|
|
||
| [[using-insecure-connection-against-secured-registry]] | ||
| ==== Using insecure connection against secured registry |
There was a problem hiding this comment.
Using an Insecure Connection Against a Secured Registry
admin_guide/pruning_resources.adoc
Outdated
| By default, the certificate authority data stored in user's configuration file | ||
| are used -- the same for communication with the master API. | ||
|
|
||
| Use `--certificate-authority` option to provide the right certificate authority |
admin_guide/pruning_resources.adoc
Outdated
|
|
||
| [discrete] | ||
| [[using-wrong-certificate-authority]] | ||
| ==== Using wrong certificate authority |
There was a problem hiding this comment.
Using the Wrong Certificate Authority
admin_guide/pruning_resources.adoc
Outdated
| [[using-wrong-certificate-authority]] | ||
| ==== Using wrong certificate authority | ||
|
|
||
| The following error means that certificate authority used to sign the |
admin_guide/pruning_resources.adoc
Outdated
| ==== Using wrong certificate authority | ||
|
|
||
| The following error means that certificate authority used to sign the | ||
| certificate of the secured Docker registry is different from the authority used |
admin_guide/pruning_resources.adoc
Outdated
|
|
||
| Make sure to provide the right one with the flag `--certificate-authority`. | ||
|
|
||
| As a work-around, the `--force-insecure` flag may be added instead *(not |
admin_guide/pruning_resources.adoc
Outdated
| `--registry-url`. | ||
|
|
||
| .^|`--force-insecure` | ||
| |*(Dangerous)* Allow an insecure connection to the docker registry that is |
admin_guide/pruning_resources.adoc
Outdated
|
|
||
| Use `--certificate-authority` option to provide the right certificate authority | ||
| for the docker registry server. | ||
|
|
|
@miminar Thanks! Just a few minor comments from me. Just a heads-up that, given our new docs workflow, if you want to submit separate PRs for 3.4 and 3.5, be sure to do so against enterprise-3.4-stage and enterprise-3.5-stage respectively. Thanks again! |
miminar
force-pushed
the
secure-image-pruning
branch
from
da31247 to
63089db
Compare
|
@ahardin-rh thanks a lot! Comments should be addressed now. |
Document new options related to secure connection to integrated docker registry and a mechanism that decides whether to fall-back to insecure connection. Signed-off-by: Michal Minář <[email protected]>
miminar
force-pushed
the
secure-image-pruning
branch
from
63089db to
338e0bd
Compare
|
@miminar Excellent. Thank you! |
|
[rev_history] |
Document new options related to secure connection to integrated docker registry and a mechanism that decides whether to fall-back to insecure connection.
Resolves #4232
Resolves bz#1469654
Is blocked on openshift/origin#14114?No longer blocked.