[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pull image from external registries



The "library" namespace for Docker images is really just a default/fallback when pulling images from the Docker Hub when you don't specify a namespace; e.g., `docker pull centos` actually ends up pulling library/centos. Registry v2 and v2 images no longer require that image repositories contain 2 segments (<namespace>/<repo>). OpenShift's integrated registry, however, does maintain that requirement, as we use the first segment for the OpenShift project name.

We need to figure out what the appropriate behavior is with external registries and single-segment image repository names. For the Hub, we should probably continue to fill in "library". For other registries, maybe not filling it in is the right behavior?

On Wed, Dec 9, 2015 at 9:45 AM, Paul Weil <pweil redhat com> wrote:
Including Maciej.  Thoughts on a namespace-included flag?

On Wed, Dec 9, 2015 at 9:35 AM, Cesar Wong <cewong redhat com> wrote:
Hi Priyanka, 

The image name containing library is a bug. When we parse the pull spec, we’ll fill in the namespace with “library” if empty:


Paul, we should likely include a flag in image.api.DockerImageReference saying whether a namespace was specified. So we can include the default namespace only if appropriate when serializing it back out (or leave it blank and serialize it as “library” only with a flag).

Also in the 1.0.6 case, did you verify that the image stream contains the insecureRepository annotation? I believe that’s the bug that Maciej fixed between 1.0.6 to 1.1. (https://github.com/openshift/origin/pull/5574)


On Dec 9, 2015, at 7:00 AM, priyanka Gupta <priyanka4openshift gmail com> wrote:

Hi Akram,

Thanks, Yes I am following that doc only :( but no luck

Hi Maciej,

Thanks, origin version I am using is "oc v1.0.6" , it does have "



But it never creates any pod. I have also tried using latest version "oc v1.1" and noticed it doesnt create any imagestream even with "--insecure-registry=true" with "new-app".

I also noticed that when I run this command in both versions:

oc new-app  myregistry:5001/openshiftapp:latest --insecure-registry=true -o > json

it contains image name as ""image": "myregistry:5001/library/openshift:latest" , why it adds library tag? 

I tried removing this in version 1.1 , then it created pod without any issue, but with version 1.0.6 , it doesn't create any pod after removing "library" also from deploymentconfig.

Could you please tell me how to reproduce this issue or which  version of origin should I test to use "new-app" and "import-image" from external docker registry?? 

seems each version acts differently.


Thanks a lot again!

 


On Wed, Dec 9, 2015 at 4:33 PM, Maciej Szulik <maszulik redhat com> wrote:


On 12/09/2015 07:57 AM, priyanka Gupta wrote:
Hi Akram,
Hi Clayton,

Thanks four your inputs. I was going through openshift docs and it says we
can deploy applications from external or third party registries too.

I have origin v3 server running, and I dont have any imagestream, I want
openshift to create one for me when I use "new-app".


To create app from private registry I am using :

oc new-app  myregistry:5001/openshiftapp:latest --insecure-registry=true


But it doesnt create any successful pod. Below is the output of "oc get
pods"

*NAME                 READY     STATUS             RESTARTS   AGE*
*openshift-1-deploy   1/1       Running            0          9m*
*openshift-1-zy91l    0/1       ImagePullBackOff   0          9m*


In log file is gives:

*   4132 factory.go:49] error checking for V2 registry at
https://myregistry:5001/v2/ <https://myregistry:5001/v2/>: Get
https://myregistry:5001/v2/ <https://myregistry:5001/v2/>: x509: cannot
validate certificate for myregistry because it doesn't contain any IP SANs*


Note: I have already already added --insecure-registry in "DOKER_OPTS" and
restarted docker where node is running and I am also able to pull images
from private registry using docker pull, hence this seems to me openshift
related issue.



Could you please help me with this?


Thanks in advance!


Hey Priyanka,
First of all, which version of OpenShift you're using? There was a bug
some time ago when new-app didn't pass the insecure-registry flag
properly, fixed in [1]. The log error you've mentioned, clearly states
the flag was not applied as an annotation Akarm mentioned earlier.
Can you check if it's there by doing oc describe is/name_here?
You should see following entry in the annotation section:

openshift.io/image.insecureRepository=true

Additionally, as you've mentioned, you must allow docker daemon
on a node to access that private registry by adding this flag:
--insecure-registry 172.30.0.0/16 pointing to that private registry
of yours. The annotation is responsible only for reading image
metadata during import. The actual pull of the image still happens
on a node, through docker, which needs that same information about
insecure registry as well.

Maciej


[1] https://github.com/openshift/origin/commit/9193cadc2e073539c4696a40dc8fa40d7ffb442c





On Mon, Dec 7, 2015 at 10:36 PM, Akram Ben Aissi <akram benaissi gmail com>
wrote:

Priyanka,


you must use the following option in your ImageStream definition:
openshift.io/image.insecureRepository: "true"

like here:

https://github.com/openshift/training/blob/master/deprecated/beta4/image-streams-rhel7.json

And indeed, that does not bring authentication support. But if your issue
is only due to certificate signing, it should be a way to solve it.

Greetings

On 7 December 2015 at 17:23, priyanka Gupta <priyanka4openshift gmail com>
wrote:

hello , is there a way to import images from private external docker
registry using "oc import-image" command.

This works fine with docker hub images, but I need to pull image from
external registry to openshift imagestream using "oc import-image" command.

how to set authentication to work with this?


whenever I try to run below  command:

oc import-image myrepo:5000/mysql test/mysql

It gives below in error:

E1207 04:24:51.103594    4913 factory.go:49] error checking for V2
registry at https://myrepo:5000/v2/: Get https://myrepo:5000/v2/: x509:
certificate signed by unknown authority

Thanks a lot in advance!



_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev






_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev



_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]