Task #3638
closed
Pulp - Story #3637: As a user, I can run pulp in a FIPS-enabled environment
Get crane running in a FIPS enabled environment
Added by daviddavis over 6 years ago. Updated over 5 years ago.
0%
Description
This work might not be necessary. Check with @thomasmckay.
Related issues
Updated by daviddavis over 6 years ago
- Project changed from Pulp to Docker Support
Updated by tomckay@redhat.com over 6 years ago
Foreman will still need crane for smart-proxy. The addition of a docker v2 api to foreman server itself will make it possible to avoid using crane (with some additional work required in foreman) there.
Updated by daviddavis over 6 years ago
- Project changed from Docker Support to Crane
Updated by daviddavis over 6 years ago
- Related to Task #3752: Confirm that pulp_docker works in FIPS mode added
Updated by dkliban@redhat.com over 6 years ago
Test instructions:
This requires installing docker. I recommend installing it on a Fedora 27 VM (F27)
1. Install docker
2. Start docker daemon
3. run "docker pull registry" - this should pull down the registry image that you can run in step 4
4. Deploy registry on localhost by following example here: https://docs.docker.com/registry/deploying/
5. Copy the ubuntu image into the registry by continuing the example ^
Now on the same F27 machine install Pulp 2.16.2
6. pulp-admin docker repo create --feed http://127.0.0.1:5000 --upstream-name ubuntu --repo-id mydocker2
7. pulp-admin docker repo sync run --repo-id mydocker2
8. sudo docker pull localhost:5001/mydocker2
Now on a FIPS enabled RHEL install Pulp 2.16.2
9. pulp-admin docker repo create --feed http://<f27 ip>:5000 --upstream-name ubuntu --repo-id mydocker2
10. pulp-admin docker repo sync run --repo-id mydocker2
Now on a Fedora 27 machine
11. sudo docker pull <rhel7 ip>:5001/mydocker2
Updated by daviddavis over 6 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to ragbalak
Updated by ragbalak over 6 years ago
Hi Team,
Have verified this fix on a RHEL Fips enabled VM. Had to make some modifications in order to get this working.
These are the steps that I followed
1. Had Pulp-2.16 stable installed in a RHEL Machine with FIPS enabled
2. Had Pulp-2.17 nightly installed in F27 machine
3. Both machines should have a hostname configured
- since we need to make docker accept pulls from unverified [registeries](https://docs.docker.com/registry/insecure/)
4. Install docker on the fedora machine ( since this has to pull images from crane server on rhel machine)
dnf -y install docker
5. Once docker is installed, set it to accept images from untrusted registries (ie. the pulp repository)
# we can add both pulp and docker registries of both f27 and rhel, so that the docker can pull from any of these registries with no issues
echo '{"insecure-registries" : ["<rhel_machine_host_name>:5000", '<rhel_machine_host_name>:5001', "<f27_machine_host_name>:5000", '<f27_machine_host_name>:5001' ]}' >> /etc/docker/daemon.json
6. Once docker is installed, and configured to use insecure registries, start the docker daemon
systemctl start docker
7.create a local registry and start it on port 5001 ( since pulp by default runs on 5000)
# this adds private registry image
docker pull registry
# start the registry image in local docker container on port 5001 and also the registry should be listening on port 5001
docker run docker run -d -e REGISTRY_HTTP_ADDR=0.0.0.0:5001 -p 5001:5001 --name registry2 registry
# Lets add another image that we will be using throughout this test
docker pull ubuntu # this pulls the image from the docker hub
# Let us then add this image to the local docker registry
docker tag ubuntu <f27_machine_host_name>:5001/my-ubuntu
docker push <f27_machine_host_name>:5001/my-ubuntu # this adds the image to the local registry
# now we can remove the images as it is added to the local registry
docker image remove *ubuntu
8. Once the image is added in the docker registry, we can check whether pulp can make use of this image from the f27 docker registry
9. For this, login to the Rhel7 machine
10. login to the pulp-admin
11.Create the feed of this pulp-admin to point to the fedora machine docker registry and sync the content to make it available in the local pulp repo
# creating a pulp repo with name mydocker2
pulp-admin docker repo create --feed http://<fedora_machine_host_name>:5001 --upstream-name my-ubuntu --repo-id mydocker2
# sync the repo for downloading the content from the docker registry
pulp-admin docker repo sync run --repo-id mydocker2
# Now the content should have been made available in pulp server. This can be checked using
pulp-admin docker repo list
12. Once the content is present in Rhel machine(FIPS) Pulp repo, we can check whether the fedora machine's docker is able to get this content (via crane - as this gives the docker content in the pulp ).
13 Login back to Fedora machine and do the following
docker pull <Rhel7-machine_host_name>:5000/mydocker2
14. This step should add content in the local docker , which can be checked by running
docker image list
15. This ensures that crane works properly in a FIPS enabled system , thereby allowing remote systems to get pulp docker content.
16. As a sanity check, the roles of rhel and fedora can be reversed and tested, with fedora having the pulp content and doing a docker pull from rhel machine.
Updated by ragbalak over 6 years ago
- Status changed from ASSIGNED to CLOSED - COMPLETE
.