[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pulling image from Google Cloud Registry failing with 403



> On Sep 13, 2016, at 1:18 PM, Andre Esser <andre esser voidbridge com> wrote:
>
> It's Origin 1.2.1.
>
> Interesting entries in the node's /var/log/messages are:
> ------------------------------------------------------------------->
> docker-current: msg="Handler for GET /images/eu.gcr.io/vb-europe
>  /graylog-stack-deployer:latest/json returned error: No such image:
>  eu.gcr.io/vb-europe/graylog-stack-deployer:latest"
>
> origin-node: Pulling image eu.gcr.io/vb-europe/graylog-stack-
>  deployer:latest without credentials
>
> origin-node: Error syncing pod [..], skipping: failed to
>  "StartContainer" for "deployer" with ErrImagePull: "image pull failed
>  for eu.gcr.io/vb-europe/graylog-stack-deployer:latest,
>  this may be because there are no credentials on this request.
>  details: (Error: Status 403 trying to pull repository
>  vb-europe/graylog-stack-deployer: \"Unable to access the repository:
>  vb-europe/graylog-stack-deployer;
>  please verify that it exists and you have permission to access it (no
>  valid credential was supplied).\")"
>
> docker-current: level=error msg="Handler for GET /images/eu.gcr.io
>  /vb-europe/graylog-stack-deployer:latest/json returned error: No such
>  image: eu.gcr.io/vb-europe/graylog-stack-deployer:latest"
>
> origin-node: Error syncing pod [..], skipping: failed to
>  "StartContainer" for "deployer" with ImagePullBackOff: "Back-off
>  pulling image \"eu.gcr.io/vb-europe/graylog-stack-deployer:latest\""
> <----------------------------------------------------------------------
>
> 'without credentials' seems to indicate that the google-cloud-registry
> secret isn't used at all?


Yeah.  Can you double check that your created pod and service account
names (and the linked secret names) all line up?

Also, this could be the docker v1 issue where  the credential was
skipped because of a bug in how it handled names.  I'll try to lookup
the issue and see whether we had a recommendation on a fix.


>
> I've double checked that the google-cloud-registry secret exists in projects 'default', 'openshift' and 'logging' ('logging' being the one the pod is being created in).


T


>
>
> Andre
>
>
>
>
>
>
>> On 2016-09-13 16:15, Clayton Coleman wrote:
>> What version of OpenShift?  What you pasted looks correct:
>>
>> 1. Generate secret with the right server name
>> 2. Add pull secret to all of the service accounts that will be pulling
>> the image
>> 3. Launch pod
>>
>> You may want to look at the docker log and verify that what it is trying
>> to pull looks correct.  It's always possible there's a subtle bug though
>> in how this is being checked, so may need to have you turn on debug
>> logging on your node so we can investigate.
>>
>> On Tue, Sep 13, 2016 at 5:57 AM, Andre Esser <andre esser voidbridge com
>> <mailto:andre esser voidbridge com>> wrote:
>>
>>    Hi,
>>
>>    I'm trying to pull an image from the Google Cloud Registry from within
>>    a pod definition. My JSON file seems to be fine:
>>    ------------------------------------------------------------------->
>>    $ docker login -u _json_key -p "$(cat google-cloud-registry.json)" \
>>      https://eu.gcr.io
>>    Login Succeeded
>>    $ docker pull eu.gcr.io/vb-europe/graylog-stack-deployer:latest
>>    <http://eu.gcr.io/vb-europe/graylog-stack-deployer:latest>
>>    latest: Pulling from vb-europe/graylog-stack-deployer
>>    [...]
>>    Status: Downloaded newer image for
>>    eu.gcr.io/vb-europe/graylog-stack-\
>>    <http://eu.gcr.io/vb-europe/graylog-stack-%5C>
>>    deployer:latest
>>    <-------------------------------------------------------------------
>>
>>    I create the corresponding secret with:
>>    ------------------------------------------------------------------->
>>    $ oc -n default secrets new-dockercfg google-cloud-registry \
>>      --docker-server=eu.gcr.io <http://eu.gcr.io>
>>    --docker-username=_json_key \
>>      --docker-password="$(cat google-cloud-registry.json)" \
>>      --docker-email="docker-registry-pull vb-europe iam \
>>      gserviceaccount.com <http://gserviceaccount.com>"
>>    secret/google-cloud-registry
>>    <-------------------------------------------------------------------
>>
>>    and add it to the service accounts:
>>    ------------------------------------------------------------------->
>>    $ oc secrets add serviceaccount/default \
>>      secrets/google-cloud-registry --for=pull
>>    $ oc secrets add serviceaccount/builder \
>>      secrets/google-cloud-registry
>>    <-------------------------------------------------------------------
>>
>>    The corresponding pod definition contains:
>>    ------------------------------------------------------------------->
>>    [...]
>>              containers:
>>                -
>>                  name: "deployer"
>>                  image:
>>    "eu.gcr.io/vb-europe/graylog-stack-deployer:latest
>>    <http://eu.gcr.io/vb-europe/graylog-stack-deployer:latest>"
>>                  imagePullPolicy: "Always"
>>                  env:
>>    [...]
>>    <-------------------------------------------------------------------
>>
>>    However when I try to create the container I get:
>>    ------------------------------------------------------------------->
>>    Failed to pull image "eu.gcr.io/vb-europe/graylog-stack-
>>    <http://eu.gcr.io/vb-europe/graylog-stack->
>>    deployer:latest": image pull failed for eu.gcr.io/vb-europe/graylog-
>>    <http://eu.gcr.io/vb-europe/graylog->
>>    stack-deployer:latest, this may be because there are no credentials on
>>    this request. details: (Error: Status 403 trying to pull repository
>>    vb-europe/graylog-stack-deployer: "Unable to access the repository:
>>    vb-europe/graylog-stack-deployer; please verify that it exists and you
>>    have permission to access it (no valid credential was supplied).")
>>    <------------------------------------------------------------------
>>
>>    What am I missing?
>>
>>
>>    Cheers,
>>
>>    Andre
>>    --
>>    Andre Esser, IT Manager
>>    Voidbridge Software Ltd
>>
>>    _______________________________________________
>>    users mailing list
>>    users lists openshift redhat com
>>    <mailto:users lists openshift redhat com>
>>    http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>    <http://lists.openshift.redhat.com/openshiftmm/listinfo/users>
>>
>>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]