[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pull image from external registries

On 12/09/2015 04:04 PM, Andy Goldstein wrote:
The "library" namespace for Docker images is really just a default/fallback
when pulling images from the Docker Hub when you don't specify a namespace;
e.g., `docker pull centos` actually ends up pulling library/centos.
Registry v2 and v2 images no longer require that image repositories contain
2 segments (<namespace>/<repo>). OpenShift's integrated registry, however,
does maintain that requirement, as we use the first segment for the
OpenShift project name.

We need to figure out what the appropriate behavior is with external
registries and single-segment image repository names. For the Hub, we
should probably continue to fill in "library". For other registries, maybe
not filling it in is the right behavior?

The only question that remains is how to distinguish between the two.
Having a flag, Cesar proposed, is one option. Will have a look into ti.


On Wed, Dec 9, 2015 at 9:45 AM, Paul Weil <pweil redhat com> wrote:

Including Maciej.  Thoughts on a namespace-included flag?

On Wed, Dec 9, 2015 at 9:35 AM, Cesar Wong <cewong redhat com> wrote:

Hi Priyanka,

The image name containing library is a bug. When we parse the pull spec,
we’ll fill in the namespace with “library” if empty:


Paul, we should likely include a flag in image.api.DockerImageReference
saying whether a namespace was specified. So we can include the default
namespace only if appropriate when serializing it back out (or leave it
blank and serialize it as “library” only with a flag).

Also in the 1.0.6 case, did you verify that the image stream contains the
insecureRepository annotation? I believe that’s the bug that Maciej fixed
between 1.0.6 to 1.1. (https://github.com/openshift/origin/pull/5574)

On Dec 9, 2015, at 7:00 AM, priyanka Gupta <priyanka4openshift gmail com>

Hi Akram,

Thanks, Yes I am following that doc only :( but no luck

Hi Maciej,

Thanks, origin version I am using is "oc v1.0.6" , it does have "


But it never creates any pod. I have also tried using latest version "oc
v1.1" and noticed it doesnt create any imagestream even with
"--insecure-registry=true" with "new-app".

I also noticed that when I run this command in both versions:

oc new-app  myregistry:5001/openshiftapp:latest --insecure-registry=true
-o > json

it contains image name as ""image": "myregistry:5001/*library/*openshift:latest"
, why it adds library tag?

I tried removing this in version 1.1 , then it created pod without any
issue, but with version 1.0.6 , it doesn't create any pod after removing
"library" also from deploymentconfig.

Could you please tell me how to reproduce this issue or which  version
of origin should I test to use "new-app" and "import-image" from external
docker registry??

seems each version acts differently.

Thanks a lot again!

On Wed, Dec 9, 2015 at 4:33 PM, Maciej Szulik <maszulik redhat com>

On 12/09/2015 07:57 AM, priyanka Gupta wrote:

Hi Akram,
Hi Clayton,

Thanks four your inputs. I was going through openshift docs and it says
can deploy applications from external or third party registries too.

I have origin v3 server running, and I dont have any imagestream, I want
openshift to create one for me when I use "new-app".

To create app from private registry I am using :

oc new-app  myregistry:5001/openshiftapp:latest --insecure-registry=true

But it doesnt create any successful pod. Below is the output of "oc get

*NAME                 READY     STATUS             RESTARTS   AGE*
*openshift-1-deploy   1/1       Running            0          9m*
*openshift-1-zy91l    0/1       ImagePullBackOff   0          9m*

In log file is gives:

*   4132 factory.go:49] error checking for V2 registry at
https://myregistry:5001/v2/ <https://myregistry:5001/v2/>: Get
https://myregistry:5001/v2/ <https://myregistry:5001/v2/>: x509: cannot
validate certificate for myregistry because it doesn't contain any IP

Note: I have already already added --insecure-registry in "DOKER_OPTS"
restarted docker where node is running and I am also able to pull images
from private registry using docker pull, hence this seems to me
related issue.

Could you please help me with this?

Thanks in advance!

Hey Priyanka,
First of all, which version of OpenShift you're using? There was a bug
some time ago when new-app didn't pass the insecure-registry flag
properly, fixed in [1]. The log error you've mentioned, clearly states
the flag was not applied as an annotation Akarm mentioned earlier.
Can you check if it's there by doing oc describe is/name_here?
You should see following entry in the annotation section:


Additionally, as you've mentioned, you must allow docker daemon
on a node to access that private registry by adding this flag:
--insecure-registry pointing to that private registry
of yours. The annotation is responsible only for reading image
metadata during import. The actual pull of the image still happens
on a node, through docker, which needs that same information about
insecure registry as well.



On Mon, Dec 7, 2015 at 10:36 PM, Akram Ben Aissi <
akram benaissi gmail com>


you must use the following option in your ImageStream definition:
openshift.io/image.insecureRepository: "true"

like here:


And indeed, that does not bring authentication support. But if your
is only due to certificate signing, it should be a way to solve it.


On 7 December 2015 at 17:23, priyanka Gupta <
priyanka4openshift gmail com>

hello , is there a way to import images from private external docker
registry using "oc import-image" command.

This works fine with docker hub images, but I need to pull image from
external registry to openshift imagestream using "oc import-image"

how to set authentication to work with this?

whenever I try to run below  command:

oc import-image myrepo:5000/mysql test/mysql

It gives below in error:

E1207 04:24:51.103594    4913 factory.go:49] error checking for V2
registry at https://myrepo:5000/v2/: Get https://myrepo:5000/v2/:
certificate signed by unknown authority

Thanks a lot in advance!

dev mailing list
dev lists openshift redhat com

dev mailing list
dev lists openshift redhat com

dev mailing list
dev lists openshift redhat com

dev mailing list
dev lists openshift redhat com

dev mailing list
dev lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]