[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Deploying Docker registry



Thank you for the response. We are still having issues with the network settings. Thanks in advance for the help.

Hi,

I'm doing some integration work with Openshift Origin 1.1.6 and I'm running across this issue (occurs both with a binary built from source and using the binary release):

# oc logs -f dc/docker-registry

F0509 21:10:07.958966       1 deployer.go:70] couldn't get deployment default/docker-registry-1: Get https://172.30.0.1:443/api/v1/namespaces/default/replicationcontrollers/docker-registry-1: dial tcp172.30.0.1:443: i/o timeout

Unless I'm misinterpreting something, that's a straight up TCP/IP timeout, yet when I use curl against this URL I get this:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:anonymous\" cannot get replicationcontrollers in project \"default\"",
  "reason": "Forbidden",
  "details": {
    "name": "docker-registry-1",
    "kind": "replicationcontrollers"
  },
  "code": 403
}

Which I suppose is to be expected since I haven't supplied credentials, but clearly the service is reachable.

​An easy unauth'd health check path is curl REGISTRY:5000/healthz
 
I've done nothing in this case but set up docker, run the openshift binary, and attempt to deploy the registry using these commands:

#oc create serviceaccount registry -n default
#oadm policy add-scc-to-user privileged system:serviceaccount:default:registry
#oadm registry --service-account=registry \
              --config=openshift.local.config/master/admin.kubeconfig \
              --credentials=openshift.local.config/master/openshift-registry.kubeconfig \
              --mount-host=/opt/registry



​The registry command has been simplified so you shouldn't need to create the sa and update policy. You should be able to run oadm registry --mount-host=/opt/registry and be good to go. That will use a service account in the registry pod. You can get logs from the registry pod:
oc get pods
oc logs <name-of-registry-pod>

On Wed, May 11, 2016 at 12:08 PM, Aaron Weitekamp <aweiteka redhat com> wrote:
On Wed, May 11, 2016 at 12:39 PM, David Dimas <david dimas333 gmail com> wrote:
Hi,

I'm doing some integration work with Openshift Origin 1.1.6 and I'm running across this issue (occurs both with a binary built from source and using the binary release):

# oc logs -f dc/docker-registry

F0509 21:10:07.958966       1 deployer.go:70] couldn't get deployment default/docker-registry-1: Get https://172.30.0.1:443/api/v1/namespaces/default/replicationcontrollers/docker-registry-1: dial tcp172.30.0.1:443: i/o timeout

Unless I'm misinterpreting something, that's a straight up TCP/IP timeout, yet when I use curl against this URL I get this:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:anonymous\" cannot get replicationcontrollers in project \"default\"",
  "reason": "Forbidden",
  "details": {
    "name": "docker-registry-1",
    "kind": "replicationcontrollers"
  },
  "code": 403
}

Which I suppose is to be expected since I haven't supplied credentials, but clearly the service is reachable.

​An easy unauth'd health check path is curl REGISTRY:5000/healthz

Running the above above command:

# curl REGISTRY:5000/healthz

curl: (7) Failed connect to REGISTRY:5000; Connection refused

 
 
I've done nothing in this case but set up docker, run the openshift binary, and attempt to deploy the registry using these commands:

#oc create serviceaccount registry -n default
#oadm policy add-scc-to-user privileged system:serviceaccount:default:registry
#oadm registry --service-account=registry \
              --config=openshift.local.config/master/admin.kubeconfig \
              --credentials=openshift.local.config/master/openshift-registry.kubeconfig \
              --mount-host=/opt/registry



​The registry command has been simplified so you shouldn't need to create the sa and update policy. You should be able to run oadm registry --mount-host=/opt/registry and be good to go. That will use a service account in the registry pod. You can get logs from the registry pod:
oc get pods
oc logs <name-of-registry-pod>


Retried with simplified command but still getting the same error.

# oc get pods

NAME                              READY     STATUS    RESTARTS   AGE

docker-registry-1-deploy          0/1       Error     0          19h

# oc logs docker-registry-1-deploy

F0519 19:04:07.442052       1 deployer.go:70] couldn't get deployment default/docker-registry-1: Get https://172.30.0.1:443/api/v1/namespaces/default/replicationcontrollers/docker-registry-1: dial tcp 172.30.0.1:443: i/o timeout 

Here is the master-config.yaml

# cat /opt/openshift/openshift.local.config/master/master-config.yaml

admissionConfig:

  pluginConfig: null

apiLevels:

- v1

apiVersion: v1

assetConfig:

  extensionDevelopment: false

  extensionScripts: null

  extensionStylesheets: null

  extensions: null

  loggingPublicURL: ""

  logoutURL: ""

  masterPublicURL: https://104.36.17.74:8443

  metricsPublicURL: ""

  publicURL: https://104.36.17.74:8443/console/

  servingInfo:

    bindAddress: 0.0.0.0:8443

    bindNetwork: tcp4

    certFile: master.server.crt

    clientCA: ""

    keyFile: master.server.key

    maxRequestsInFlight: 0

    namedCertificates: null

    requestTimeoutSeconds: 0

controllerLeaseTTL: 0

controllers: '*'

corsAllowedOrigins:

- 104.36.17.74:8443

- 127.0.0.1

- localhost

disabledFeatures: null

dnsConfig:

  allowRecursiveQueries: false

  bindAddress: 0.0.0.0:53

  bindNetwork: tcp4

etcdClientInfo:

  ca: ca.crt

  certFile: master.etcd-client.crt

  keyFile: master.etcd-client.key

  urls:

  - https://104.36.17.74:4001

etcdConfig:

  address: 104.36.17.74:4001

  peerAddress: 104.36.17.74:7001

  peerServingInfo:

    bindAddress: 0.0.0.0:7001

    bindNetwork: tcp4

    certFile: etcd.server.crt

    clientCA: ca.crt

    keyFile: etcd.server.key

    namedCertificates: null

  servingInfo:

    bindAddress: 0.0.0.0:4001

    bindNetwork: tcp4

    certFile: etcd.server.crt

    clientCA: ca.crt

    keyFile: etcd.server.key

    namedCertificates: null

  storageDirectory: /opt/openshift/openshift.local.etcd

etcdStorageConfig:

  kubernetesStoragePrefix: kubernetes.io

  kubernetesStorageVersion: v1

  openShiftStoragePrefix: openshift.io

  openShiftStorageVersion: v1

imageConfig:

  format: openshift/origin-${component}:${version}

  latest: false

imagePolicyConfig:

  disableScheduledImport: false

  maxImagesBulkImportedPerRepository: 5

  maxScheduledImageImportsPerMinute: 60

  scheduledImageImportMinimumIntervalSeconds: 900

kind: MasterConfig

kubeletClientInfo:

  ca: ca.crt

  certFile: master.kubelet-client.crt

  keyFile: master.kubelet-client.key

  port: 10250

kubernetesMasterConfig:

  admissionConfig:

    pluginConfig: null

  apiLevels: null

  apiServerArguments: null

  controllerArguments: null

  disabledAPIGroupVersions: {}

  masterCount: 1

  masterIP: 104.36.17.74

  podEvictionTimeout: 5m

  proxyClientInfo:

    certFile: master.proxy-client.crt

    keyFile: master.proxy-client.key

  schedulerConfigFile: ""

  servicesNodePortRange: 30000-32767

  servicesSubnet: 172.30.0.0/16

  staticNodeNames: null

masterClients:

  externalKubernetesKubeConfig: ""

  openshiftLoopbackKubeConfig: openshift-master.kubeconfig

masterPublicURL: https://104.36.17.74:8443

networkConfig:

  clusterNetworkCIDR: 10.128.0.0/14

  externalIPNetworkCIDRs: null

  hostSubnetLength: 9

  networkPluginName: ""

  serviceNetworkCIDR: 172.30.0.0/16

oauthConfig:

  alwaysShowProviderSelection: false

  assetPublicURL: https://104.36.17.74:8443/console/

  grantConfig:

    method: auto

  identityProviders:

  - challenge: true

    login: true

    mappingMethod: claim

    name: anypassword

    provider:

      apiVersion: v1

      kind: AllowAllPasswordIdentityProvider

  masterCA: ca-bundle.crt

  masterPublicURL: https://104.36.17.74:8443

  masterURL: https://104.36.17.74:8443

  sessionConfig:

    sessionMaxAgeSeconds: 300

    sessionName: ssn

    sessionSecretsFile: ""

  templates: null

  tokenConfig:

    accessTokenMaxAgeSeconds: 86400

    authorizeTokenMaxAgeSeconds: 300

pauseControllers: false

policyConfig:

  bootstrapPolicyFile: policy.json

  openshiftInfrastructureNamespace: openshift-infra

  openshiftSharedResourcesNamespace: openshift

  userAgentMatchingConfig:

    defaultRejectionMessage: ""

    deniedClients: null

    requiredClients: null

projectConfig:

  defaultNodeSelector: ""

  projectRequestMessage: ""

  projectRequestTemplate: ""

  securityAllocator:

    mcsAllocatorRange: s0:/2

    mcsLabelsPerProject: 5

    uidAllocatorRange: 1000000000-1999999999/10000

routingConfig:

  subdomain: router.default.svc.cluster.local

serviceAccountConfig:

  limitSecretReferences: false

  managedNames:

  - default

  - builder

  - deployer

  masterCA: ca-bundle.crt

  privateKeyFile: serviceaccounts.private.key

  publicKeyFiles:

  - serviceaccounts.public.key

servingInfo:

  bindAddress: 0.0.0.0:8443

  bindNetwork: tcp4

  certFile: master.server.crt

  clientCA: ca.crt

  keyFile: master.server.key

  maxRequestsInFlight: 500

  namedCertificates: null

  requestTimeoutSeconds: 3600


 

--
John


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]