[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problem authenticating to private docker registry



Maciej,

In this case, Tony is trying to connect to the OpenShift registry, so the secret should exist; the dockercfg secret for the project's default service account. 

Tony, two things that may be your issue:

1) You're using a route for your registry (docker-lab.example.net). The dockercfg secret will likely only have an entry for the ip address of the registry and not the route. (Maciej, maybe you know of a way to get the secrets to include an entry for the host of the route). Otherwise, you're better off specifying the service ip when invoking new-app.

You can check what hosts are included in the dockercfg secret by doing 'oc describe secret/default-dockercfg-XXXX' where XXXX is whatever suffix is used in your project.

2) The image ref that you're using in your new-app invocation doesn't include a namespace. All images on the OpenShift registry will have a namespace and name like:
 [registry-host]:[port]/projectname/testwebapp:latest. Make sure you have the full spec for the image (from 'oc get is').

On Aug 10, 2016, at 5:44 AM, Maciej Szulik <maszulik redhat com> wrote:

to setup the secret in the same project your ImageStream is created and then re-import the image.
During import proper secrets will be picked automatically based on the urls of the registry and your image metadata
should be downloaded to the server. This will handle the import part, now for actually using an image from private
registry you need to follow this: https://docs.openshift.org/latest/dev_guide/managing_images.html#allowing-pods-to-reference-images-from-other-secured-registries

Hope that helps,
Maciej

On Tue, Aug 9, 2016 at 4:00 PM, Tony Saxon <tony saxon gmail com> wrote:
I'm not sure what I'm missing here. I have a private docker registry that is set up securely and uses authentication. I followed the docs at https://docs.openshift.org/latest/dev_guide/managing_images.html#using-image-pull-secrets to create the secret with the username and password to authenticate with the docker registry. I verified that I can manually login to the docker registry from the master and the nodes. However, when I go to deploy a new app based on an image from the docker registry it seem to be failing to authenticate. The command that I'm running to create the new app:

oc new-app docker-lab.example.net:5000/testwebapp:latest

It creates the imagestream and attempts to deploy the pod. I get the following in the logs on the pod:

# oc logs testwebapp-1-us1wu
Error from server: container "testwebapp" in pod "testwebapp-1-us1wu" is waiting to start: image can't be pulled

The logs on the docker registry show:

time="2016-08-09T13:54:45Z" level=warning msg="error authorizing context: basic authentication challenge for realm \"Registry Realm\": invalid authorization credential" go.version=go1.6.3 http.request.host="docker-lab.example.net:5000" http.request.id=f5aeb8b9-ce4e-41b7-86a8-76e8c520bd22 http.request.method=GET http.request.remoteaddr="192.168.122.158:54436" http.request.uri="/v2/" http.request.useragent="docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64" instance.id=f0d70491-6e34-44eb-a51c-3b13eae8daa6 version=v2.5.0
192.168.122.158 - - [09/Aug/2016:13:54:45 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64"
time="2016-08-09T13:54:45Z" level=error msg="response completed with error" auth.user.name=tsaxon err.code="manifest unknown" err.detail="unknown manifest name=testwebapp revision=sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" err.message="manifest unknown" go.version=go1.6.3 http.request.host="docker-lab.example.net:5000" http.request.id=130a9014-7c19-48f7-bef3-2b8cfe0470a0 http.request.method=GET http.request.remoteaddr="192.168.122.158:54438" http.request.uri="/v2/testwebapp/manifests/sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" http.request.useragent="docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=6.174905ms http.response.status=404 http.response.written=186 instance.id=f0d70491-6e34-44eb-a51c-3b13eae8daa6 vars.name=testwebapp vars.reference="sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" version=v2.5.0
192.168.122.158 - - [09/Aug/2016:13:54:45 +0000] "GET /v2/testwebapp/manifests/sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3 HTTP/1.1" 404 186 "" "docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64"
time="2016-08-09T13:54:45Z" level=warning msg="error authorizing context: basic authentication challenge for realm \"Registry Realm\": invalid authorization credential" go.version=go1.6.3 http.request.host="docker-lab.example.net:5000" http.request.id=0185e07b-f1c1-48e6-91ea-dede2339f087 http.request.method=GET http.request.remoteaddr="192.168.122.158:54440" http.request.uri="/v2/" http.request.useragent="docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64" instance.id=f0d70491-6e34-44eb-a51c-3b13eae8daa6 version=v2.5.0
192.168.122.158 - - [09/Aug/2016:13:54:45 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64"
time="2016-08-09T13:54:46Z" level=error msg="response completed with error" auth.user.name=tsaxon err.code="manifest unknown" err.detail="unknown manifest name=testwebapp revision=sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" err.message="manifest unknown" go.version=go1.6.3 http.request.host="docker-lab.example.net:5000" http.request.id=c1ab0cd7-42ac-4fef-b2c4-0f451976e302 http.request.method=GET http.request.remoteaddr="192.168.122.158:54442" http.request.uri="/v2/testwebapp/manifests/sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" http.request.useragent="docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=6.28913ms http.response.status=404 http.response.written=186 instance.id=f0d70491-6e34-44eb-a51c-3b13eae8daa6 vars.name=testwebapp vars.reference="sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" version=v2.5.0
192.168.122.158 - - [09/Aug/2016:13:54:46 +0000] "GET /v2/testwebapp/manifests/sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3 HTTP/1.1" 404 186 "" "docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64"

Here are the service accounts showing that they have the image pull secret added (docker-lab):

[root os-master ~]# oc get serviceaccounts
NAME       SECRETS   AGE
builder    3         21h
default    2         21h
deployer   3         21h
[root os-master ~]# oc describe serviceaccounts default
Name:           default
Namespace:      testwebapp
Labels:         <none>

Image pull secrets:     default-dockercfg-pfota
                        eip-docker
                        docker-lab

Mountable secrets:      default-token-xffu5
                        default-dockercfg-pfota

Tokens:                 default-token-vbcmc
                        default-token-xffu5



[root os-master ~]# oc describe serviceaccounts builder
Name:           builder
Namespace:      testwebapp
Labels:         <none>

Image pull secrets:     builder-dockercfg-7bjoo
                        docker-lab

Mountable secrets:      builder-token-wf31u
                        builder-dockercfg-7bjoo
                        eip-docker

Tokens:                 builder-token-gi9o9
                        builder-token-wf31u



[root os-master ~]# oc describe serviceaccounts deployer
Name:           deployer
Namespace:      testwebapp
Labels:         <none>

Image pull secrets:     deployer-dockercfg-lfiuw
                        docker-lab

Mountable secrets:      deployer-token-9euo2
                        deployer-dockercfg-lfiuw
                        eip-docker

Tokens:                 deployer-token-9euo2
                        deployer-token-mq6vw


Not sure what I could be missing.

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]