[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pulling image from Google Cloud Registry failing with 403



It's Origin 1.2.1.

Interesting entries in the node's /var/log/messages are:
------------------------------------------------------------------->
docker-current: msg="Handler for GET /images/eu.gcr.io/vb-europe
  /graylog-stack-deployer:latest/json returned error: No such image:
  eu.gcr.io/vb-europe/graylog-stack-deployer:latest"

origin-node: Pulling image eu.gcr.io/vb-europe/graylog-stack-
  deployer:latest without credentials

origin-node: Error syncing pod [..], skipping: failed to
  "StartContainer" for "deployer" with ErrImagePull: "image pull failed
  for eu.gcr.io/vb-europe/graylog-stack-deployer:latest,
  this may be because there are no credentials on this request.
  details: (Error: Status 403 trying to pull repository
  vb-europe/graylog-stack-deployer: \"Unable to access the repository:
  vb-europe/graylog-stack-deployer;
  please verify that it exists and you have permission to access it (no
  valid credential was supplied).\")"

docker-current: level=error msg="Handler for GET /images/eu.gcr.io
  /vb-europe/graylog-stack-deployer:latest/json returned error: No such
  image: eu.gcr.io/vb-europe/graylog-stack-deployer:latest"

origin-node: Error syncing pod [..], skipping: failed to
  "StartContainer" for "deployer" with ImagePullBackOff: "Back-off
  pulling image \"eu.gcr.io/vb-europe/graylog-stack-deployer:latest\""
<----------------------------------------------------------------------

'without credentials' seems to indicate that the google-cloud-registry
secret isn't used at all?

I've double checked that the google-cloud-registry secret exists in projects 'default', 'openshift' and 'logging' ('logging' being the one the pod is being created in).


Andre






On 2016-09-13 16:15, Clayton Coleman wrote:
What version of OpenShift?  What you pasted looks correct:

1. Generate secret with the right server name
2. Add pull secret to all of the service accounts that will be pulling
the image
3. Launch pod

You may want to look at the docker log and verify that what it is trying
to pull looks correct.  It's always possible there's a subtle bug though
in how this is being checked, so may need to have you turn on debug
logging on your node so we can investigate.

On Tue, Sep 13, 2016 at 5:57 AM, Andre Esser <andre esser voidbridge com
<mailto:andre esser voidbridge com>> wrote:

    Hi,

    I'm trying to pull an image from the Google Cloud Registry from within
    a pod definition. My JSON file seems to be fine:
    ------------------------------------------------------------------->
    $ docker login -u _json_key -p "$(cat google-cloud-registry.json)" \
      https://eu.gcr.io
    Login Succeeded
    $ docker pull eu.gcr.io/vb-europe/graylog-stack-deployer:latest
    <http://eu.gcr.io/vb-europe/graylog-stack-deployer:latest>
    latest: Pulling from vb-europe/graylog-stack-deployer
    [...]
    Status: Downloaded newer image for
    eu.gcr.io/vb-europe/graylog-stack-\
    <http://eu.gcr.io/vb-europe/graylog-stack-%5C>
    deployer:latest
    <-------------------------------------------------------------------

    I create the corresponding secret with:
    ------------------------------------------------------------------->
    $ oc -n default secrets new-dockercfg google-cloud-registry \
      --docker-server=eu.gcr.io <http://eu.gcr.io>
    --docker-username=_json_key \
      --docker-password="$(cat google-cloud-registry.json)" \
      --docker-email="docker-registry-pull vb-europe iam \
      gserviceaccount.com <http://gserviceaccount.com>"
    secret/google-cloud-registry
    <-------------------------------------------------------------------

    and add it to the service accounts:
    ------------------------------------------------------------------->
    $ oc secrets add serviceaccount/default \
      secrets/google-cloud-registry --for=pull
    $ oc secrets add serviceaccount/builder \
      secrets/google-cloud-registry
    <-------------------------------------------------------------------

    The corresponding pod definition contains:
    ------------------------------------------------------------------->
    [...]
              containers:
                -
                  name: "deployer"
                  image:
    "eu.gcr.io/vb-europe/graylog-stack-deployer:latest
    <http://eu.gcr.io/vb-europe/graylog-stack-deployer:latest>"
                  imagePullPolicy: "Always"
                  env:
    [...]
    <-------------------------------------------------------------------

    However when I try to create the container I get:
    ------------------------------------------------------------------->
    Failed to pull image "eu.gcr.io/vb-europe/graylog-stack-
    <http://eu.gcr.io/vb-europe/graylog-stack->
    deployer:latest": image pull failed for eu.gcr.io/vb-europe/graylog-
    <http://eu.gcr.io/vb-europe/graylog->
    stack-deployer:latest, this may be because there are no credentials on
    this request. details: (Error: Status 403 trying to pull repository
    vb-europe/graylog-stack-deployer: "Unable to access the repository:
    vb-europe/graylog-stack-deployer; please verify that it exists and you
    have permission to access it (no valid credential was supplied).")
    <------------------------------------------------------------------

    What am I missing?


    Cheers,

    Andre
    --
    Andre Esser, IT Manager
    Voidbridge Software Ltd

    _______________________________________________
    users mailing list
    users lists openshift redhat com
    <mailto:users lists openshift redhat com>
    http://lists.openshift.redhat.com/openshiftmm/listinfo/users
    <http://lists.openshift.redhat.com/openshiftmm/listinfo/users>




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]