[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pull image from external registries



Hey Cesar, Thanks , it works that way :) but I am wondering while using "import-image" from external registry why "insecure-registry=true" doesn't get added automatically.

I had to add manually in image-stream json then it worked.

On Thu, Dec 10, 2015 at 6:23 PM, Cesar Wong <cewong redhat com> wrote:
Hi Priyanka,

So with 1.1 new-app should work as long as your image has a namespace. If it's possible to re-tag your image from myregistry:5001/openshiftapp:latest to something like myregistry:5001/openshift/openshiftapp:latest

Otherwise, you need to edit the image stream and remove the library part. 

Thanks,

Cesar

On Dec 9, 2015, at 11:00 PM, priyanka Gupta <priyanka4openshift gmail com> wrote:

Hi All,

Thanks for response here, so with external registries is this not tested??

how can I achieve creating app or importing image from external registries currently, any suggestions?


Thanks again ! 

On Wed, Dec 9, 2015 at 10:21 PM, Andy Goldstein <agoldste redhat com> wrote:


On Wed, Dec 9, 2015 at 10:09 AM, Maciej Szulik <maszulik redhat com> wrote:


On 12/09/2015 04:04 PM, Andy Goldstein wrote:
The "library" namespace for Docker images is really just a default/fallback
when pulling images from the Docker Hub when you don't specify a namespace;
e.g., `docker pull centos` actually ends up pulling library/centos.
Registry v2 and v2 images no longer require that image repositories contain
2 segments (<namespace>/<repo>). OpenShift's integrated registry, however,
does maintain that requirement, as we use the first segment for the
OpenShift project name.

We need to figure out what the appropriate behavior is with external
registries and single-segment image repository names. For the Hub, we
should probably continue to fill in "library". For other registries, maybe
not filling it in is the right behavior?

The only question that remains is how to distinguish between the two.
Having a flag, Cesar proposed, is one option. Will have a look into ti.

Note that an image "foo" could potentially be pulled successfully via Docker and still not come from the Hub, if --add-registry is configured for the daemon. OpenShift has no knowledge of what's in --add-registry, so this is a potential complicating factor.
 

Maciej

On Wed, Dec 9, 2015 at 9:45 AM, Paul Weil <pweil redhat com> wrote:

Including Maciej.  Thoughts on a namespace-included flag?

On Wed, Dec 9, 2015 at 9:35 AM, Cesar Wong <cewong redhat com> wrote:

Hi Priyanka,

The image name containing library is a bug. When we parse the pull spec,
we’ll fill in the namespace with “library” if empty:


https://github.com/openshift/origin/blob/master/pkg/image/api/helper.go#L64

Paul, we should likely include a flag in image.api.DockerImageReference
saying whether a namespace was specified. So we can include the default
namespace only if appropriate when serializing it back out (or leave it
blank and serialize it as “library” only with a flag).

Also in the 1.0.6 case, did you verify that the image stream contains the
insecureRepository annotation? I believe that’s the bug that Maciej fixed
between 1.0.6 to 1.1. (https://github.com/openshift/origin/pull/5574)


On Dec 9, 2015, at 7:00 AM, priyanka Gupta <priyanka4openshift gmail com>
wrote:

Hi Akram,

Thanks, Yes I am following that doc only :( but no luck

Hi Maciej,

Thanks, origin version I am using is "oc v1.0.6" , it does have "

openshift.io/image.insecureRepository=true"


But it never creates any pod. I have also tried using latest version "oc
v1.1" and noticed it doesnt create any imagestream even with
"--insecure-registry=true" with "new-app".

I also noticed that when I run this command in both versions:

oc new-app  myregistry:5001/openshiftapp:latest --insecure-registry=true
-o > json

it contains image name as ""image": "myregistry:5001/*library/*openshift:latest"

, why it adds library tag?

I tried removing this in version 1.1 , then it created pod without any
issue, but with version 1.0.6 , it doesn't create any pod after removing
"library" also from deploymentconfig.

Could you please tell me how to reproduce this issue or which  version
of origin should I test to use "new-app" and "import-image" from external
docker registry??

seems each version acts differently.


Thanks a lot again!




On Wed, Dec 9, 2015 at 4:33 PM, Maciej Szulik <maszulik redhat com>
wrote:



On 12/09/2015 07:57 AM, priyanka Gupta wrote:

Hi Akram,
Hi Clayton,

Thanks four your inputs. I was going through openshift docs and it says
we
can deploy applications from external or third party registries too.

I have origin v3 server running, and I dont have any imagestream, I want
openshift to create one for me when I use "new-app".


To create app from private registry I am using :

oc new-app  myregistry:5001/openshiftapp:latest --insecure-registry=true


But it doesnt create any successful pod. Below is the output of "oc get
pods"

*NAME                 READY     STATUS             RESTARTS   AGE*
*openshift-1-deploy   1/1       Running            0          9m*
*openshift-1-zy91l    0/1       ImagePullBackOff   0          9m*


In log file is gives:

*   4132 factory.go:49] error checking for V2 registry at
https://myregistry:5001/v2/ <https://myregistry:5001/v2/>: Get
https://myregistry:5001/v2/ <https://myregistry:5001/v2/>: x509: cannot
validate certificate for myregistry because it doesn't contain any IP
SANs*


Note: I have already already added --insecure-registry in "DOKER_OPTS"
and
restarted docker where node is running and I am also able to pull images
from private registry using docker pull, hence this seems to me
openshift
related issue.



Could you please help me with this?


Thanks in advance!


Hey Priyanka,
First of all, which version of OpenShift you're using? There was a bug
some time ago when new-app didn't pass the insecure-registry flag
properly, fixed in [1]. The log error you've mentioned, clearly states
the flag was not applied as an annotation Akarm mentioned earlier.
Can you check if it's there by doing oc describe is/name_here?
You should see following entry in the annotation section:

openshift.io/image.insecureRepository=true

Additionally, as you've mentioned, you must allow docker daemon
on a node to access that private registry by adding this flag:
--insecure-registry 172.30.0.0/16 pointing to that private registry
of yours. The annotation is responsible only for reading image
metadata during import. The actual pull of the image still happens
on a node, through docker, which needs that same information about
insecure registry as well.

Maciej


[1]
https://github.com/openshift/origin/commit/9193cadc2e073539c4696a40dc8fa40d7ffb442c





On Mon, Dec 7, 2015 at 10:36 PM, Akram Ben Aissi <
akram benaissi gmail com>
wrote:

Priyanka,


you must use the following option in your ImageStream definition:
openshift.io/image.insecureRepository: "true"

like here:


https://github.com/openshift/training/blob/master/deprecated/beta4/image-streams-rhel7.json

And indeed, that does not bring authentication support. But if your
issue
is only due to certificate signing, it should be a way to solve it.

Greetings

On 7 December 2015 at 17:23, priyanka Gupta <
priyanka4openshift gmail com>
wrote:

hello , is there a way to import images from private external docker
registry using "oc import-image" command.

This works fine with docker hub images, but I need to pull image from
external registry to openshift imagestream using "oc import-image"
command.

how to set authentication to work with this?


whenever I try to run below  command:

oc import-image myrepo:5000/mysql test/mysql

It gives below in error:

E1207 04:24:51.103594    4913 factory.go:49] error checking for V2
registry at https://myrepo:5000/v2/: Get https://myrepo:5000/v2/:
x509:
certificate signed by unknown authority

Thanks a lot in advance!



_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev






_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev




_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev





_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]