[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pull image from external registries

On 12/09/2015 07:57 AM, priyanka Gupta wrote:
Hi Akram,
Hi Clayton,

Thanks four your inputs. I was going through openshift docs and it says we
can deploy applications from external or third party registries too.

I have origin v3 server running, and I dont have any imagestream, I want
openshift to create one for me when I use "new-app".

To create app from private registry I am using :

oc new-app  myregistry:5001/openshiftapp:latest --insecure-registry=true

But it doesnt create any successful pod. Below is the output of "oc get

*NAME                 READY     STATUS             RESTARTS   AGE*
*openshift-1-deploy   1/1       Running            0          9m*
*openshift-1-zy91l    0/1       ImagePullBackOff   0          9m*

In log file is gives:

*   4132 factory.go:49] error checking for V2 registry at
https://myregistry:5001/v2/ <https://myregistry:5001/v2/>: Get
https://myregistry:5001/v2/ <https://myregistry:5001/v2/>: x509: cannot
validate certificate for myregistry because it doesn't contain any IP SANs*

Note: I have already already added --insecure-registry in "DOKER_OPTS" and
restarted docker where node is running and I am also able to pull images
from private registry using docker pull, hence this seems to me openshift
related issue.

Could you please help me with this?

Thanks in advance!

Hey Priyanka,
First of all, which version of OpenShift you're using? There was a bug
some time ago when new-app didn't pass the insecure-registry flag
properly, fixed in [1]. The log error you've mentioned, clearly states
the flag was not applied as an annotation Akarm mentioned earlier.
Can you check if it's there by doing oc describe is/name_here?
You should see following entry in the annotation section:


Additionally, as you've mentioned, you must allow docker daemon
on a node to access that private registry by adding this flag:
--insecure-registry pointing to that private registry
of yours. The annotation is responsible only for reading image
metadata during import. The actual pull of the image still happens
on a node, through docker, which needs that same information about
insecure registry as well.


[1] https://github.com/openshift/origin/commit/9193cadc2e073539c4696a40dc8fa40d7ffb442c

On Mon, Dec 7, 2015 at 10:36 PM, Akram Ben Aissi <akram benaissi gmail com>


you must use the following option in your ImageStream definition:
openshift.io/image.insecureRepository: "true"

like here:


And indeed, that does not bring authentication support. But if your issue
is only due to certificate signing, it should be a way to solve it.


On 7 December 2015 at 17:23, priyanka Gupta <priyanka4openshift gmail com>

hello , is there a way to import images from private external docker
registry using "oc import-image" command.

This works fine with docker hub images, but I need to pull image from
external registry to openshift imagestream using "oc import-image" command.

how to set authentication to work with this?

whenever I try to run below  command:

oc import-image myrepo:5000/mysql test/mysql

It gives below in error:

E1207 04:24:51.103594    4913 factory.go:49] error checking for V2
registry at https://myrepo:5000/v2/: Get https://myrepo:5000/v2/: x509:
certificate signed by unknown authority

Thanks a lot in advance!

dev mailing list
dev lists openshift redhat com

dev mailing list
dev lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]